I've always avoided Webmin, having briefly looked at it a long time ago, but Redhat's "Cockpit" [1] seems more interesting nowadays. Has anyone looked at it? I suspect it is more closely linked to a Redhat/Fedora style server (than Debian, which I use) but I trust the Redhat people regarding security in general.
[1]
https://cockpit-project.org/
Cheers, Alastair
On Sat, Sep 7, 2019, at 8:26 AM, Keith Williams wrote:
> It seems that the exploit would only work if you had it set up so that users were allowed to log in with expired passwords, which seems a daft setting.
>
> I have been a webmin user for a few years now, but find I use it less and less as its usefulness declines rapidly as other software changes. I think it is a tool that has had its day, to be honest
>
>
> On Fri, 6 Sep 2019 at 22:57, Ian Watters <lovingboth@???> wrote:
>> One that caught one server in the past month was webmin's, where one
>> version was hacked with a backdoor would by default let an attacker
>> run code as root, and later versions could also do so, depending on
>> how they'd been set up.
>>
>> http://www.webmin.com/exploit.html
>>
>> It didn't help that it's easy to let webmin update itself rather than
>> using the usual Debian apt / apt-get utilities and, if you don't use
>> it very often, it's easy to miss an update release.
>>
>> What it did was install something listening to port 59000. As that
>> port (and almost all others) has always been blocked by the firewall,
>> it doesn't seem to have done anything bad, but it's rebuild on a fresh
>> VPS and destroy it time.
>>
>> Ian, knowing that Andy has always disliked webmin...
>>
>> _______________________________________________
>> users mailing list
>> users@???
>> https://lists.bitfolk.com/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
--
Alastair Sherringham
http://www.sherringham.net
