[37950] in bugtraq
Re: [webmin-l] Re: Webmin BruteForce + Command execution - By
daemon@ATHENA.MIT.EDU (Jamie Cameron)
Thu Dec 23 17:38:54 2004
From: Jamie Cameron <jcameron@webmin.com>
To: webadmin-list@lists.sourceforge.net
Cc: bugtraq@securityfocus.com, DiAblo_2@012.net.il
In-Reply-To: <200412231035.00600.mm@mewes.tv>
Content-Type: text/plain
Message-Id: <1103800655.7245.47.camel@temasek.home>
Mime-Version: 1.0
Date: 23 Dec 2004 22:17:35 +1100
Content-Transfer-Encoding: 7bit
On Thu, 2004-12-23 at 20:34, Martin Mewes wrote:
> Hello,
>
> amit sides <DiAblo_2@012.net.il> wrote :
> > #!/usr/bin/perl
> > ##
> > # Webmin BruteForce + Command execution - By Di42lo
> > <DiAblo_2@012.net.il> #
> > # usage
> > # ./bruteforce.webmin.pl <host> <command>
> [...]
>
> this is a message from the maintainer ...
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I haven't seen this one before - but it would be blocked by Webmin's
> password timeouts feature. However, this feature (surprisingly!) isn't
> enabled by default ...
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> On behalf of the maintainer I appreciate every input to secure the
> software to its extend. Future versions of Webmin (if needed Usermin
> too) will have this feature enabled by default.
>
> With this we encourage everyone using Webmin to enable this feature to
> avoid a possible break-in.
>
> Again, we would like to tell the OP of this that it would be really nice
> to know first about such issues, so we are ablte to / can do a
> (full-)disclosure on items.
Fortunately, it is quite easy to configure Webmin to defend against this kind
of brute-force password guessing attack. Just do the following :
- Go to the Webmin Configuration module.
- Click on the Authentication icon.
- Select 'Enable password timeouts'.
- Click on the 'Save' button at the bottom of the page.
Future releases will enable this by default.
- Jamie
