Security Basics mailing list archives

RE: Webmin Security Questions

From: Allan Jensen <aje () callcentereurope com>
Date: Fri, 25 Oct 2002 09:12:14 +0200

-----Original Message-----
From: ATD [mailto:simon () snosoft com] 
Sent: 24. oktober 2002 20:04
To: Allan Jensen
Cc: security-basics () securityfocus com
Subject: RE: Webmin Security Questions

All, 
      Three points:

1-) I have seen remote exploits for webmin that grant shell 
access due to flaws in the scripts that webmin uses.


I haven't seen them, which is why I deemed Webmin somewhat secure. I stand
corrected.
But (thinking aloud) how could it gain shell access when authentication is
required before you get one single page? Could it have been an exploit for
the built-in webserver itself?

2-) Webmin requires an httpd to run.


It comes with its own (quote: "..Webmin consists of a simple web
server..."), but yes,If you are using webmin, then a httpd server will be
running.
There are ways to secure/obscure that; move Webmin to run on another port
and only allow it to be accessed from certain IP addresses (via
iptables/ipchains/ipfw/your favourite packet filter) comes to mind.

In doing that you open up another service for an attacker to pounce on.


True.

3-) Why would a systems administrator rely on a web based 
administration tool? Shouldn't that administrator understand 
the inner workings of his or her system. Shouldn't that 
administrator also be security aware?


As I was writing; it's a great tool for anyone who's afraid of administering
system via a keyboard. That said, I know of few professional admins who have
that problem.

Don't get me wrong, webmin does have a place but I do not see it in a 
network that requires any serious level of security. It would 
be handy for a test network, or maybe an isolated network 
behind a few firewalls.  I would not suggest using it on any 
system directly exposed to the internet though.


Um, no! I've been deploying it onto a corporate LAN to give my Windows admin
colleagues a way to administer some Linux boxes when I was out of office,
but it was using SSL and was restricted to a few IP addresses. But no Webmin
access was - and should be - allowed from the Internet!


Best regards,
-Allan Jensen

Current thread:

Webmin Security Questions Joe McCray (Oct 22)
- Re: Webmin Security Questions Devdas Bhagat (Oct 23)
- Re: Webmin Security Questions ATD (Oct 23)
- <Possible follow-ups>
- RE: Webmin Security Questions Allan Jensen (Oct 24)
  - RE: Webmin Security Questions ATD (Oct 25)
- RE: Webmin Security Questions Allan Jensen (Oct 25)
- Re: Webmin Security Questions Muhammad Faisal Rauf Danka (Oct 25)
- RE: Webmin Security Questions Paris E. Stone (Oct 28)