Re: [webmin-l] Re: Webmin BruteForce + Command execution - By Di42lo <DiAblo_2@012.net.il>

• Previous message: Thomas C. Greene: "Inexcusable weakness in Kmail / GnuPG"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: webadmin-list@lists.sourceforge.net
Date: 23 Dec 2004 22:17:35 +1100

On Thu, 2004-12-23 at 20:34, Martin Mewes wrote:
> Hello,
>
> amit sides <DiAblo_2@012.net.il> wrote :
> > #!/usr/bin/perl
> > ##
> > # Webmin BruteForce + Command execution - By Di42lo
> > <DiAblo_2@012.net.il> #
> > # usage
> > # ./bruteforce.webmin.pl <host> <command>
> [...]
>
> this is a message from the maintainer ...
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I haven't seen this one before - but it would be blocked by Webmin's
> password timeouts feature. However, this feature (surprisingly!) isn't
> enabled by default ...
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> On behalf of the maintainer I appreciate every input to secure the
> software to its extend. Future versions of Webmin (if needed Usermin
> too) will have this feature enabled by default.
>
> With this we encourage everyone using Webmin to enable this feature to
> avoid a possible break-in.
>
> Again, we would like to tell the OP of this that it would be really nice
> to know first about such issues, so we are ablte to / can do a
> (full-)disclosure on items.

Fortunately, it is quite easy to configure Webmin to defend against this kind
of brute-force password guessing attack. Just do the following :

 - Go to the Webmin Configuration module.

 - Click on the Authentication icon.

 - Select 'Enable password timeouts'.

 - Click on the 'Save' button at the bottom of the page.

Future releases will enable this by default.

 - Jamie

• Previous message: Thomas C. Greene: "Inexcusable weakness in Kmail / GnuPG"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]