This Metasploit module exploits an arbitrary command injection in Webmin versions prior to 1.997. Webmin uses the OS package manager (apt, yum, etc.) to perform package updates and installation. Due to a lack of input sanitization, it is possible to inject an arbitrary command that will be concatenated to the package manager call. This exploit requires authentication and the account must have access to the Software Package Updates module. Continue reading...
I agree It is possible to insert an arbitrary command that will be concatenated to the package management call due to a lack of input sanitization. The account must be authenticated for this attack and have permission to the Software Package Updates module.
