Thanks for the heads up,
james. WebMin is an excellent tool to look at stuff and an awful tool to make changes, the consequences of which you don't understand. In the PIAF and Incredible PBX environment, the 1.680 (and below) bug will not be a problem on systems as delivered since we only allow https root access with the existing root password anyway. The root user has always had permissions to delete files with WebMin. You've also got to work pretty hard to trigger the inadvertent deletion of files with the documented bug methodology.
The vulnerability doesn't exist at all on later standalone releases of Incredible PBX which include WebMin 1.7.0 (Ubuntu) or 1.6.9.0-1 (CentOS). Nor does it exist in systems built with the
PIAF3 installer (with or without the addition of Incredible PBX) which loads WebMin 1.6.9. Older PIAF system would be a problem. On those systems, WebMin can be upgraded from within the WebMin interface.