Webmin? Good, Bad, Ugly?
NoOp
glgxg at sbcglobal.net
Mon Jul 23 21:39:31 UTC 2007
On 07/23/2007 02:15 PM, Jake Wright wrote:
>
>
> I'm not sure I agree on the security bashing that Webmin is taking
> here. It's actually got a pretty good security record compared to
> other similarly privileged services.
It does seem to have a pretty good record:
http://www.webmin.com/security.html
http://secunia.com/product/1115/?task=advisories
However, I don't think anyone is really 'security bashing'. It's simply
prudent to lock down settings on anything like Webmin that use well
known ports for access. Particularly applications that can allow someone
to change your system - VNC for example; always change from 5900 & 5800.
Changing the access port from 10000 to something else, and limiting what
IPs/Ranges can connect and use Webmin is, IMO, a reasonable thing to do.
Note: http://isc.sans.org/port.html?port=10000
<quote>
This is the kiddies looking for hosts running Webmin on Usermin. There
is a vuln from June 30 2006 (BID 18744; CVE-2006-3392) which allows an
attacker to request an arbitrary file from the remote host without
authenticating to webmin. The mass auto-rooters that I've captured for
this vuln request /etc/shadow, and then send the file via email to a
yahoo account by default. There was also a Metasploit module published
recently for the vuln. There is also a format string bug and integar
overflow in Webmin, but there are no public sploits for them (CANVAS has
one). Versions of Webmin older than 1.290 are effected by BID 18744, as
well as versions of Usermin older than 1.220. If you're running Webmin
or Usermin, take a look at your miniserv.log
(/var/log/webmin/miniserv.log). You should see a great deal of requests
for /etc/shadow. Usermin also runs on port 20000. Look for a directory
called w, and/or a file called pscan2. Both these were used in the
auto-rooters I was able to capture.
</quote>
More information about the ubuntu-users
mailing list