How to remediate – Webmin 1.840 / 1.880 LFI

Contents

1. Introduction

Webmin 1.840 / 1.880 is affected by a local file inclusion vulnerability. This allows an attacker to read sensitive system files, such as the ‘/etc/shadow’ file, potentially compromising user credentials and system security. Systems running vulnerable versions of Webmin with the default configuration are at risk. A successful exploit could lead to confidentiality breaches through access to sensitive data.

2. Technical Explanation

The vulnerability occurs because Webmin 1.840 and 1.880 have a weak default setting allowing any file to be viewed as a log file. This allows an attacker to request arbitrary files from the server using a Local File Include (LFI) attack. The CVE associated with this issue is CVE-2018-8712.

Root cause: The ‘Can view any file as a log file’ setting defaults to Yes, creating an unsafe default configuration.
Exploit mechanism: An attacker can send a GET request to the server requesting a specific file via the ‘save_log.cgi’ script with the ‘view=1&file=/etc/shadow’ parameter. This retrieves the contents of the specified file. For example: http://example.com/syslog/save_log.cgi?view=1&file=/etc/shadow
Scope: Webmin versions 1.840 and 1.880 are affected.

3. Detection and Assessment

You can confirm a system is vulnerable by checking the Webmin version and configuration. A quick check involves looking at the running processes or UI settings.

Quick checks: Check the Webmin version via the web interface (usually under ‘System Information’) or using the command webmin -v.
Scanning: Nessus vulnerability ID 120986 may detect this issue, but relies on self-reported version numbers. Other scanners may have similar checks.
Logs and evidence: Webmin logs are not typically specific to this vulnerability; however, unusual access attempts to ‘save_log.cgi’ could indicate exploitation attempts. Check /var/log/webmin for suspicious activity.

webmin -v

4. Solution / Remediation Steps

Fix the issue by disabling the ability to view any file as a log file in Webmin’s configuration.

4.1 Preparation

Ensure you have access to modify Webmin’s configuration settings. A roll back plan involves restoring the original configuration file if needed.
A change window may be necessary depending on your organisation’s policies. Approval from a system administrator might be required.

4.2 Implementation

Step 1: Open the Webmin configuration file, typically located at /etc/webmin/config.
Step 2: Find the line containing ‘Can view any file as a log file = Yes’.
Step 3: Change ‘Yes’ to ‘No’.
Step 4: Save the changes to the configuration file.
Step 5: Restart the Webmin service using the command systemctl restart webmin or equivalent for your system.

4.3 Config or Code Example

Before

Can view any file as a log file = Yes

After

Can view any file as a log file = No

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue.

Practice 1: Least privilege – limit user access rights to only what is necessary, reducing the impact if an account is compromised.
Practice 2: Safe defaults – ensure applications use secure default configurations and require explicit configuration changes for less secure options.

4.5 Automation (Optional)

If you manage Webmin configurations with a tool like Ansible, you can automate this change.

---
- name: Disable viewing any file as log file in Webmin
  lineinfile:
    path: /etc/webmin/config
    regexp: '^Can view any file as a log file = Yes$'
    line: 'Can view any file as a log file = No'
  become: true

`5. Verification / Validation`

Confirm the fix by checking the Webmin configuration and attempting to exploit the vulnerability.

Post-fix check: Run grep "Can view any file as a log file = No" /etc/webmin/config. The output should show the line 'Can view any file as a log file = No'.
Re-test: Attempt to access '/etc/shadow' via the save_log.cgi script (e.g., http://example.com/syslog/save_log.cgi?view=1&file=/etc/shadow). The request should now be denied with an error message.
Monitoring: Monitor /var/log/webmin for any access attempts to 'save_log.cgi' which should now be blocked.

grep "Can view any file as a log file = No" /etc/webmin/config

`6. Preventive Measures and Monitoring`

Update security baselines and implement checks in your deployment pipeline to prevent similar issues.

Baselines: Update your security baseline or policy to require 'Can view any file as a log file = No' for Webmin installations.
Pipelines: Add static analysis (SAST) tools to your CI/CD pipeline to identify insecure default configurations in application code and configuration files.
Asset and patch process: Review and apply security patches for Webmin regularly, ideally within 72 hours of release.

`7. Risks, Side Effects, and Roll Back`

Changing the Webmin configuration may affect logging functionality if users previously relied on viewing arbitrary files as logs.

Risk or side effect 1: Disabling 'Can view any file as a log file' might break existing monitoring scripts that rely on this feature.
Risk or side effect 2: Users with legitimate needs to view specific system files may require alternative access methods.
Roll back: Restore the original Webmin configuration file from your backup and restart the Webmin service.

`8. References and Resources`

Vendor advisory or bulletin: http://www.webmin.com/changes.html
NVD or CVE entry: CVE-2018-8712
Product or platform documentation relevant to the fix: http://www.webmin.com/security.html

Updated on October 26, 2025

`Was this article helpful?`

Yes No

 Related Articles
 How to remediate – 3Com Web Management Interface Default Credentials
 How to remediate – .bash_history Files Disclosed via Web Server
 How to remediate – .DS_Store File Detected
 How to remediate – @lex Guestbook livre_include.php chem_absolu Parameter Remote …
 How to remediate – ActivityPub Username Enumeration
 How to remediate – Acunetix Web Vulnerability Scanner Detection