Multiple security flaws in Virtualmin?

19 posts / 0 new
Last post
#1 Tue, 10/01/2019 - 05:45
servercraft

Multiple security flaws in Virtualmin?

I was disturbed to learn recently that Virtualmin had multiple, root level security flaws, as identified by the Rack911labs.com folks: https://www.webhostingtalk.com/showthread.php?t=1770951&p=10177806#post1...

They have been testing control panels that are alternatives to cPanel in view of the massive price increase from cPanel Inc. My motivation for switching to Virtualmin was also the same, but now it seems the software is not secure enough.

I understand that these flaws can be fixed, but I would like to know what is the plan for identifying and fixing such flaws, going forward.

Thanks.

Tue, 10/01/2019 - 10:34
fakemoth
fakemoth's picture

Just to follow this thread. This has been fixed some time ago http://www.webmin.com/exploit.html but the mentioned post is discussing others too...

Don't take the name of root in vain...

Tue, 10/01/2019 - 10:54
Jfro

And here should be some information to as they are consequent. ( some links are not updated as should with information?)

https://www.virtualmin.com/security

http://webmin.com/security.html

http://usermin.com/security.html

http://usermin.com/changes.html

You have to github and

https://sourceforge.net/p/webadmin/bugs/

https://github.com/webmin/webmin/commits/master

https://github.com/virtualmin/virtualmin-gpl/commits/master

Still i know that is not the answer on your question, for future use important one thank you.. I understand that these flaws can be fixed, but I would like to know what is the plan for identifying and fixing such flaws, going forward.

I asked once to have separate security part here in forum , but this used forum system seems hard for such changes ;)

Found a new security bug? Report it at security@webmin.com.

Curious meaning of this while does it mean if LOGGED in users that should be trusted while they can get root... or worse? I would not use that in an untrusted environment.

Tue, 10/01/2019 - 11:29
fakemoth
fakemoth's picture

The official pages really lack some love :) That is all I am willing to say as I am not the kind that turns it's back to any software that has a security flaw, either a programming bug or somehow injected by a "bad actor". That is just bad acting. But there should be a very well maintained security area here, on virtualmin.com

Don't take the name of root in vain...

Tue, 10/01/2019 - 17:32
Joe
Joe's picture

That post said they've contacted us with details, but I can't find any related emails in the security@webmin account, so I'm not sure how to proceed. I followed up in the forum there, but haven't heard back yet.

We try to respond to security reports very quickly, as I hope folks who've been around for a while know, but so far I don't think we've gotten any details of the issues mentioned.

--

Check out the forum guidelines!

Tue, 10/01/2019 - 17:37
Joe
Joe's picture

Oh, actually, he contacted Jamie directly. So, "we" are aware of them, and Jamie is working on validating the reported issues.

--

Check out the forum guidelines!

Wed, 10/02/2019 - 04:02
fakemoth
fakemoth's picture

Noted. Know that your community is with you, stuff like that happened to literally everyone.

Thanks for your effort and take the time you need to iron things out.

Don't take the name of root in vain...

Wed, 10/02/2019 - 09:58
Welshman
Welshman's picture

I lost a good customer because he got hacked through a proftpd known problem.

They sorted it later, even told them about it about a year before.

To be honest these guys are cowboys with potential.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:01
Welshman
Welshman's picture

Just 1 server with VM now. All are ISPConfig.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:03
Welshman
Welshman's picture

They will probably retire the whole thing soon.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:05
Welshman
Welshman's picture

Jamie is looking at it???

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:06
Welshman
Welshman's picture

Looking at it. Christ are any servers safe using your software it is a simple YES or No.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:08
Welshman
Welshman's picture

Maybe I should have started it with Howdy Cowboy.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:23
fakemoth
fakemoth's picture

@Welshman you always have been intellectually challenged. It is nice to see it get worse.

https://media.giphy.com/media/2rAF7UNXwOrifgru3t/giphy.gif

Don't take the name of root in vain...

Wed, 10/02/2019 - 10:26
Welshman
Welshman's picture

Just a Genius dude.

No one listens. Jesus had the same problem.

No tits in the gif man? Well just one.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:32
Welshman
Welshman's picture

Actually S4C people always worried me.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:35
Welshman
Welshman's picture

Fakemoth get on the irc dude.

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:36
Welshman
Welshman's picture

There now, careful it is packed with users ( 13 )

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Wed, 10/02/2019 - 10:37
andreychek

Since there's far more noise than substance in this thread, I'm going to go ahead and close it.

The key point to take though is that the security issues mentioned in the original post are being looked into, and if there is indeed an issue we'll post a news blurb on the matter as well as push out an update fixing them. None of us want security issues, and if there is one it'll be fixed.

If anyone wants to have an actual technical discussion, please feel free to open a new thread though :-)

-Eric

Topic locked