Menu
▾
▴
Re: [webmin-l] Webmin security risk!
|
From: Jamie C. <jca...@we...> - 2006-08-24 15:38:11
|
On 24/Aug/2006 05:07 Munzir Taha (=?utf-8?q?=D9=85=D9=86=D8=B0=D8=B1?= =?utf-8?q?_=D8=B7=D9=87?=) wrote .. > Hi, > I noticed that webmin stores passwords unencrypted in its configuration > files. This is a security risk. If someone manage to find any vulnerability to > read those files, he won't need to waste any time trying to crack them which > is a serious issue. That is true - in some cases, Webmin needs to store passwords (like the mysql login) in a file. This is needed because connecting to mysql requires knowledge of the plain text password. Fortunately, the mysql and postgresql modules are the only two I can think of that have this requirement. And the files are only readable by root, so there is no security risk from normal users.. - Jamie |
