Menu
▾
▴
Re: [webmin-l] Webmin security risk!
|
From: Munzir T. (
) <mun...@gm...> - 2006-08-25 05:29:42
|
On Thursday 24 August 2006 18:38, Jamie Cameron wrote: > On 24/Aug/2006 05:07 Munzir Taha wrote .. > > > Hi, > > I noticed that webmin stores passwords unencrypted in its configuration > > files. This is a security risk. If someone manage to find any > > vulnerability to read those files, he won't need to waste any time trying > > to crack them which is a serious issue. > > That is true - in some cases, Webmin needs to store passwords (like the > mysql login) in a file. This is needed because connecting to mysql requires > knowledge of the plain text password. That's fine with me. After all one can secure mysql to to only accept connections from localhost. > Fortunately, the mysql and postgresql modules are the only two I can think > of that have this requirement. The real problem is having the root password on this file /etc/webmin/servers/1108941386.serv May be this is because I am monitoring another server from webmin. > And the files are only readable by root, so > there is no security risk from normal users.. As I read the vulnerability discovered in webmin 1.29- would allow any anonymous user to read any system file whatever the permissions are. In such cases the administrator need some time to provide the patch. Afterall, this is why the system root password is not only kept in non-readable by everyone shadow file but also kept encrypted. Keep up the good work. -- Munzir Taha Telecommunications and Electronics Engineer Maintainer of Fedora Arabic Translation Project https://listman.redhat.com/mailman/listinfo/fedora-trans-ar Maintainer of the OpenBugs project page at http://www.arabic-fedora.org/munzir/OpenBugs.html Master CIW Designer, ICDL, MOUS, Linux+, LPI 101 Riyadh, SA |
