Filemin JQuery vulnerabilities

Operating system: CentOS Linux release 8.4.2105

Webmin version: 1.981

Hey all,

Sorry if this has been answered before but I’ve searched and nothing’s come up. According to my vulnerability scanner, the version of JQuery (v1.10.2) used by the bundled Filemin (/usr/libexec/webmin/filemin/unauthenticated/jquery) is very outdated and is vulnerable to two exploits:

CVE-2020-11022 & CVE-2020-11023

Does anyone know if this version of JQuery is going to be updated in Webmin or, failing that, had any success with updating JQuery to v3.5.0+?

I guess my last option is to disable/remove Filemin, so if anyone has any pointers on how to go about that I’d be grateful too!

Thanks for reading.

Loz

Hi,

This is not the version of jQuery but jQuery UI.

It has no real life vulnerabilities really though.

We have jQuery 3.4.1 used, if I remember correctly. I skipped intentionally jQuery 3.5 as I thought they had bugs in it and it just appeared that they actually did, as it was announced that a regression bug is just now fixed.

I will check if we can swiftly upgrade to a freshly released jQuery 3.6.0 but again it won’t give you any security benefits.

Thanks Ilia,

From my reading around the subject, the vulnerabilities have only been addressed in v3.5.0 and above, but obviously if 3.5 itself is buggy it might be better to go to a newer version.

So is it your belief that using jQuery’s DOM manipulation methods (i.e. .html(), .append() etc.) could not be exploited to execute malicious code in Filemin’s implementation?

Thanks for getting back to me.

I am pretty sure they cannot be exploited in real-life application cases. Nevertheless, if you discover anything, let me know and I’ll fix that.

I’ve not heard of any “in the wild” cases but, given that it shows up as two separate exploits on my vulnerability scanner (albeit as a ‘medium’ risk), I’d want to mitigate before that could happen.

The version of JQuery in use by Filemin is over 8 years old and the CVEs were only posted last year so who knows if/how many times this has been actively exploited?

I completely appreciate that you’ve probably got many other plates spinning, so this will be a low priority.

Until then, do you know if it is possible to disable Filemin completely in my deployments in Webmin?

hose vulnerabilities you put here are just standard bug going around. I run my blog in public with those and nothing happened its just there but since my blog - I am not stupid and use other techniques - you should secure server it self then test it and test it again - your code and hen complain if you still find a way in.

running latest js does not mean you are protected - it means for sure you are more secured but also you are running to new bugs etc… believe me someone will discover them and use them before it will be known veeery quietly. However its behind password and login - so, are you secured enough ?? - I think you need to understand the point also something meaningless as filemin - everyone uses ssh those days is question out of purpose.

well bs 3 showing 4 vulnerabilities as runs old code however someone need to show me how to employ them and do the hacking and do the damage…

  • I guess, you just not use it or edit the code that no one uses it… its open source, so you can edit that easy.

Alright, I have spent numerous hours today to upgrade all major modules (plugins) with latest upstream versions, including jQuery, DataTables, CodeMirror (adding new modes), URI.js (that had a security release) and other. There were few issues that had to be addressed manually, for example ones in scroller plugin.

All is available for install from Authentic Theme repo, which can be updated using theme configuration page.

Thanks Ilia,

I appreciate your work on this!

I’ve updated my Authentic Theme to version 19.84-beta1 and everything seems to be working fine with Filemin.

I’ve noticed that the version of jQuery being complained about by the vulnerability scanner still reports as v1.10.2. Am I ok to just remove that file?

head /usr/libexec/webmin/filemin/unauthenticated/jquery/jquery.min.js                 
/*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=jquery-1.10.2.min.map
*/
...

Oh, that is part of default module. We never use this anymore (with Authentic Theme) but it can be upgraded as well.

I appreciate your work on this, thanks Ilia.