The Webmin virtual-servers backup script can leak the FTP password through e-mail (and, I assume, through anywhere else the diagnostics are logged).
I set up a new Virtualmin server, set a scheduled backup job using FTP with automatic rotation deletion. The login/password combination on FTP was wrong, so it e-mailed a warning. The backup failure e-mail contains the FTP "PASS" line twice; the first is censored with asterisks, but the second is not, and instead exposes the remote FTP password in the clear.
The same also displays in the web page output when running the scheduled backup manually with the "Backup Now" button. I'm running it as a root user, so I don't know if it also exposes the password to site/virtual server admins who might be allowed to use the same remote backup destination.
Sample e-mail below, with names changed to protect the innocent. (Also note that it uses HTML tags in the subject line, which is almost never supported by any e-mail reader.)
========
From: webmin@newserver.example.com
Subject: Failed backup of Virtualmin on newserver.example.com to /newserver/20150104 on FTP server remotestorage.example.com
Backup failed! See the progress output above for the reason why. Total backup time was 00 minutes, 01 seconds.
Sent by Virtualmin at: https://newserver.example.com:10000
Failed to connect to FTP server : PASS ******** failed : Login incorrect.
Deleting backups from /newserver/%Y%m%d on FTP server remotestorage.example.com older than 32 days ..
.. failed to list FTP directory : PASS ExPoSeDpAsSwOrD failed : Login incorrect.
Comments
Submitted by JamieCameron on Thu, 01/08/2015 - 12:55 Comment #1
Thanks for pointing this out - I will fix this in the next Webmin release.
Submitted by Issues on Thu, 01/22/2015 - 12:56 Comment #2
Automatically closed -- issue fixed for 2 weeks with no activity.