[Dshield] Port 13000 ?

Ed Truitt ed.truitt at etee2k.net
Fri Nov 1 13:18:28 GMT 2002


In http://www.kb.cert.org/vuls/id/AAMN-5BPLW6 (CERT Vulnerability Note
287771), it talks about a condition in webmin where if a webmin user can
view print jobs, he/she can execute any command as root.  It also says there
is a fix available, and directs the reader to
http://www.webmin.com/updates.html for updates.  Note this applied to
OpenBSD and NetBSD, not Linux.

However, I can think of 2 potential issues with Webmin (and I used to use it
myself):

1) If you don't set up your web server to use SSL, the passwords are being
sent in clear text.  Since this is an administrative gateway to your
system(s), it is probably NOT a good thing.

2) Do you REALLY need to admin your box across the Internet?  If not, think
seriously about locking down access so that you can only get to Webmin from
inside your local network.

Webmin can be a really neat tool if you are admining multiple boxes at a
site, or if you need to delegate admin duties to others without giving them
the keys to the kingdom.  But, as with any powerful tool, case needs to be
exercised.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."


----- Original Message -----
From: "dominiquefiori" <dominiquefiori at numericable.fr>
To: <list at dshield.org>; "J. Foobar" <jfoobar1 at yahoo.com>
Sent: Friday, November 01, 2002 2:47 AM
Subject: Re: [Dshield] Port 13000 ?


>
> Good morning to my favorire security security knowledge base.
[snip]
> --------------------------------------------------------------------------
-
> 3) The usual question : In frog land , at Linux courses people have a new
> divinity : Webmin.(localhost : 10000).  As now I do not get exited without
> your opininion would you be kind enough to tell me if you experienced some
> security issues please.
> --------------------------------------------------------------------------
[snip]




More information about the list mailing list