Bugtraq mailing list archives
Warning! Webmin Security Advisory
From: jiva () beastie devware com (Jiva DeVoe)
Date: Fri, 1 May 1998 02:28:55 -0700
The last version of Webmin has an error which allows users to both guess the valid usernames and attempt brute force password attacks against machines running webmin. I have already informed the developers of webmin, and they have released an update which fixes the problems described below. It is available at the URL at the end of this document. Details follow: DESCRIPTION ----------- 1) If you enter an invalid username in the username and password prompt displayed by Webmin, you are allowed in to the webmin main screen. You don't have access to the modules, but this allows the user to see that webmin is on the machine. Further, if you enter a valid username but an invalid password, the system gives you an access denied error, thus, you can determine, based on the response from the system, what a valid username is and what an invalid username is. Webmin should respond identically whether it's a valid username or not. 2) Users are given an indefinite number of attempts at entering a valid password for a valid username. Other services send you to a default "Access denied" URL or something to that effect, but webmin just keeps prompting for a valid password over and over if an invalid password is entered. This makes for simple password cracking attempts via brute force. SOLUTION -------- The developers of webmin have already released an updated version of webmin which fixes these problems. It is available at: http://www.webmin.com/webmin/download/webmin-0.5.tar.gz -- Jiva DeVoe jiva () devware com MCSE Devware Systems
Current thread:
- TOG and xterm problem Jeff Gehlbach (Apr 30)
- Re: TOG and xterm problem Theo de Raadt (May 01)
- Re: TOG and xterm problem Trevor Johnson (May 03)
- Warning! Webmin Security Advisory Jiva DeVoe (May 01)
- Solaris kernel sockets interface (bug?) Natali Gracheva (May 01)
- Re: TOG and xterm problem Pavel Kankovsky (May 04)
- Re: TOG and xterm problem Valdis.Kletnieks () VT EDU (May 04)
- Netmanage Holes arager () MCGRAW-HILL COM (May 04)
- Re: TOG and xterm problem System Administrator (May 04)
- Re: TOG and xterm problem David Dawes (May 06)
- Netmanage Holes -- addendum arager () MCGRAW-HILL COM (May 04)
- Re: Netmanage Holes -- addendum Tom Czarnik (May 04)
- <Possible follow-ups>
- Re: TOG and xterm problem Pavel Kankovsky (May 04)
- Re: TOG and xterm problem Theo de Raadt (May 01)