Security Basics mailing list archives

RE: Webmin Security Questions

From: ATD <simon () snosoft com>
Date: 24 Oct 2002 14:04:28 -0400

All, 
        Three points:

1-) I have seen remote exploits for webmin that grant shell access due
to flaws in the scripts that webmin uses.

2-) Webmin requires an httpd to run.  If you are using webmin to manage
your mail server, then you need to run httpd on your web server, which
you would not need to do otherwise. In doing that you open up another
service for an attacker to pounce on.

3-) Why would a systems administrator rely on a web based administration
tool? Shouldn't that administrator understand the inner workings of his
or her system. Shouldn't that administrator also be security aware?  

Don't get me wrong, webmin does have a place but I do not see it in a 
network that requires any serious level of security. It would be handy
for a test network, or maybe an isolated network behind a few
firewalls.  I would not suggest using it on any system directly exposed
to the internet though. 




Allan Jansen wrote:

-----Original Message-----
From: Joe McCray [mailto:joemccray () hardestworkingmanonline com] 
Sent: 21. oktober 2002 21:49
To: security-basics () securityfocus com
Subject: Webmin Security Questions


Have any of you used Webmin 

http://www.webmin.com/

[...]

Any opinions?


Yep - it's a quite decent administration package for anyone afraid of
administering a system via a keyboard :o)

That aside; running it over standard HTTP is - obviously - a security risk;
you want to apply SSL. 
There's some info here : http://www.webmin.com/ssl.html

So throw SSL into the equation and I'd say you're fairly secure using it.


Best regards,
-Allan Jensen

-- 

-ATD-

-------------------------------------------------------------
Secure Network Operations |     Strategic Reconnaissance Team
http://www.snosoft.com    |     recon () snosoft com
Cerebrum Project          |     cerebrum () snosoft com
-------------------------------------------------------------

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Webmin Security Questions Joe McCray (Oct 22)
- Re: Webmin Security Questions Devdas Bhagat (Oct 23)
- Re: Webmin Security Questions ATD (Oct 23)
- <Possible follow-ups>
- RE: Webmin Security Questions Allan Jensen (Oct 24)
  - RE: Webmin Security Questions ATD (Oct 25)
- RE: Webmin Security Questions Allan Jensen (Oct 25)
- Re: Webmin Security Questions Muhammad Faisal Rauf Danka (Oct 25)
- RE: Webmin Security Questions Paris E. Stone (Oct 28)