The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Warning! Webmin Security Advisory


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
X-RDate: Sat, 02 May 1998 14:20:54 +0600 (YEKST)
X-UIDL: 35317d3400000162
Date: Fri, 1 May 1998 02:28:55 -0700
From: Jiva DeVoe <[email protected]>
To: [email protected]
Subject: Warning!  Webmin Security Advisory

The last version of Webmin has an error which allows users to both guess
the valid usernames and attempt brute force password attacks against
machines running webmin.  I have already informed the developers of
webmin, and they have released an update which fixes the problems
described below.  It is available at the URL at the end of this
document.  Details follow:

DESCRIPTION
-----------

1) If you enter an invalid username in the username and password prompt
displayed by Webmin, you are allowed in to the webmin main screen.  You
don't have access to the modules, but this allows the user to see that
webmin is on the machine.  Further, if you enter a valid username but an
invalid password, the system gives you an access denied error, thus, you
can determine, based on the response from the system, what a valid
username is and what an invalid username is.  Webmin should respond
identically whether it's a valid username or not.

2) Users are given an indefinite number of attempts at entering a valid
password for a valid username.  Other services send you to a default
"Access denied" URL or something to that effect, but webmin just keeps
prompting for a valid password over and over if an invalid password is
entered.  This makes for simple password cracking attempts via brute
force.

SOLUTION
--------

The developers of webmin have already released an updated version of
webmin which fixes these problems.  It is available at:

http://www.webmin.com/webmin/download/webmin-0.5.tar.gz

--
Jiva DeVoe
[email protected]
MCSE
Devware Systems

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру