Securityissue in Webmin/Virtualmin - passwords in clear text in webmin.log

Webmin
myhken
2014-02-02
2014-02-20
  • myhken
    myhken
    2014-02-02

    I'm using Virtualmin 4.04 on CentOS 6.5 on my servers. My main servers has several scheduled backups setup. When I create new backups, the password for the FTP servers is replaced with **, all looks great. But today I did find all my login info to my backups servers in clear text in /var/webmin/webmin.log.** When I setup Virtualmin I always use the "hashed password" setting, but still, in the webmin.log all login info (ftp server:password@username) is clear as daylight.

    This can't be good? If anybody get access to my server and my logs, they can get all the important login info to my backup servers.

    I have now created a script and a cron job deleting /var/webmin/webmin.log every minute.

    But are I'm missing some important settings or something in Virtualmin/webmin allowing the FTP info for my backup servers to be written i clear text in the logfile?

    Here is two pictures showing the issue:

    Here do I setup a scheduled backup in Virtualmin ( http://myhken.info/div/020214webmin1.jpg )
    Image1

    Here you can see in my /var/webmin/webmin.log that my logon info to my FTP server is in clear text. ( http://myhken.info/div/020214webmin2.jpg )
    Image2

    And here can you see that other passwords when I create a Virtualmin user is hashed, so the hashed password function do work and is activated:

    ( http://myhken.info/div/020214webmin3.jpg )
    Image2

     
    Last edit: myhken 2014-02-02
  • gus gando
    gus gando
    2014-02-20

    i am guessing that your actual backup is also logged into as plain text. you should check that at the bu server log. it also appears that password@user is not the correct syntax, that perhaps you have an entry error bc it is always user@somewhere. meanwhile just do not write the log item.