| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 23 Dec 2004 22:17:35 +1100 From: Jamie Cameron <jcameron@...min.com> To: webadmin-list@...ts.sourceforge.net Cc: bugtraq@...urityfocus.com, DiAblo_2@....net.il Subject: Re: [webmin-l] Re: Webmin BruteForce + Command execution - By Di42lo <DiAblo_2@....net.il> On Thu, 2004-12-23 at 20:34, Martin Mewes wrote: > Hello, > > amit sides <DiAblo_2@....net.il> wrote : > > #!/usr/bin/perl > > ## > > # Webmin BruteForce + Command execution - By Di42lo > > <DiAblo_2@....net.il> # > > # usage > > # ./bruteforce.webmin.pl <host> <command> > [...] > > this is a message from the maintainer ... > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > I haven't seen this one before - but it would be blocked by Webmin's > password timeouts feature. However, this feature (surprisingly!) isn't > enabled by default ... > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > On behalf of the maintainer I appreciate every input to secure the > software to its extend. Future versions of Webmin (if needed Usermin > too) will have this feature enabled by default. > > With this we encourage everyone using Webmin to enable this feature to > avoid a possible break-in. > > Again, we would like to tell the OP of this that it would be really nice > to know first about such issues, so we are ablte to / can do a > (full-)disclosure on items. Fortunately, it is quite easy to configure Webmin to defend against this kind of brute-force password guessing attack. Just do the following : - Go to the Webmin Configuration module. - Click on the Authentication icon. - Select 'Enable password timeouts'. - Click on the 'Save' button at the bottom of the page. Future releases will enable this by default. - Jamie ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ - Forwarded by the Webmin mailing list at webadmin-list@...ts.sourceforge.net To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list
Powered by blists - more mailing lists