[Dshield] Port 13000 ?
mark.rowlands at minmail.net
Fri Nov 1 14:49:06 GMT 2002
On Fri November 1 2002 14:18, Ed Truitt wrote:
> In http://www.kb.cert.org/vuls/id/AAMN-5BPLW6 (CERT Vulnerability Note
> 287771), it talks about a condition in webmin where if a webmin user can
> view print jobs, he/she can execute any command as root. It also says
> there is a fix available, and directs the reader to
> http://www.webmin.com/updates.html for updates. Note this applied to
> OpenBSD and NetBSD, not Linux.
> However, I can think of 2 potential issues with Webmin (and I used to use
> it myself):
> 1) If you don't set up your web server to use SSL, the passwords are being
> sent in clear text. Since this is an administrative gateway to your
> system(s), it is probably NOT a good thing.
> 2) Do you REALLY need to admin your box across the Internet? If not, think
> seriously about locking down access so that you can only get to Webmin from
> inside your local network.
Hhm, I wander if you could
a) Startup webmin from a weblink and force it to shutdown when the logout /
after x minutes or
b) set a link to a cgi to open up the webmin port, and then shutdown after x
Course, then you have the risk of someone getting fresh with those links.....
I just quickly whipped up a little cgi to switch off and on rules in my
firewall and it works....but as to whether it is safe?
More information about the list