[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ::dummy :: Managing users



On Tue Feb 25 2003 at 01:15, Keith Mastin wrote:

> >> > I like webmin and usermin. Just make sure it's secured.
> >>
> >> I wouldn't recommend webmin - "securing" things with it won't help
> >> much.   According to some recent posts to bugtraq, some *serious*
> >> easy-root-access problems have been discovered in webmin.

I should not have posted something like this without giving a
reference.  Here are the two recent posts to bugtraq I've seen:

	Webmin 1.050 - 1.060 remote exploit
	http://www.securityfocus.com/archive/1/312911/2003-02-22/2003-02-28/0

	[SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2"
	http://www.securityfocus.com/archive/1/312914/2003-02-22/2003-02-28/0

> >------
> >I can appreciate your opinion and went to bugtraq to see if they had
> >anything current on webmin. I got a message that bugtraq wasn't
> >available.

Where did you go?  The URLs above are in the bugtraq archives.

> >I have never seen a project where the mail author responds as quickly as
> >webmin / Jamie Cameron
> >
> >Indeed there have been security issues and he has stepped up to the
> >plate immediately on them but considering that webmin is a web browser
> >application that provides root level access for administration, security
> >issues are gonna pop up from time to time.
> >
> >I haven't seen anything that comes remotely close to the functionality
> >of webmin and considering that if you locate a bug, it is almost always
> >fixed within hours, it's on my heavily recommended list.

Have you been compromised yourself yet?  You better check, the
exploit is published for anyone to use.  Let's hope that what you
say about the author is true (I have no doubt), but you better check
for an update asap.

> >Craig
> 
> If this is a server with any mission critical stuff on it, any web-based
> application running in a gui is a hole. Best practices is to not run any
> X-based anything on a mission-critical server. Factor in that with the
> amount of things that you can't do with the gui, and the loss is more than
> doubled from learning to use the command line to configure servers etc.
> 
> IMHO using a gui to configure a server is almost as bad as running an M$
> server. The OP would be far better off learning the usermod and useradd
> options.

While they are good (well, ok) tools for quick'n'dirty and newbies
(in general I don't use them myself).

Personally, I have never, ever, considered having things like webmin
(eg swat, etc) running as a daemon if their ports are permanently
exposed to the general internet.  Just another invitation for
disaster.

Good tools they may be, but it only takes one obscure security hole
somewhere and the flood pours though the crack.  This is one such
case.

Cheers
Tony





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]