Webmin Password Brute Force Vulnerability Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms, you can setup user accounts, Apache, DNS, file sharing and so on. Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no external modules. This means that you only need a Perl binary to run Webmin.
Included with the Webmin distribution is a program called changepass.pl to solve precisely this problem. Assuming you have installed Webmin in /usr/local/webmin-1.150, you could change the password of the admin user to foo by running. Easy way to reset forgotten root password in CentOS 6.5. In this article we will learn. How to install latest Webmin on CentOS 7.6; 01.
Webmin has an error which allows users to both guess valid usernames and attempt brute force password attacks against machines running webmin. If you enter an invalid username in the username and password prompt displayed by Webmin, you are allowed in to the webmin main screen. You don't have access to the modules, but this allows the user to see that webmin is on the machine. Further, if you enter a valid username but an invalid password, the system gives you an access denied error, thus, you can determine, based on the response from the system, what a valid username is and what an invalid username is.
Webmin should respond identically whether it's a valid username or not. Users are given an indefinite number of attempts at entering a valid password for a valid username.
Other services send you to a default 'Access denied' URL or something to that effect, but webmin just keeps prompting for a valid password over and over if an invalid password is entered. This makes for simple password cracking attempts via brute force. Copyright 2010, SecurityFocus.
Webmin Password Brute Force Vulnerability Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms, you can setup user accounts, Apache, DNS, file sharing and so on. Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no external modules.
This means that you only need a Perl binary to run Webmin. Webmin has an error which allows users to both guess valid usernames and attempt brute force password attacks against machines running webmin. If you enter an invalid username in the username and password prompt displayed by Webmin, you are allowed in to the webmin main screen. You don't have access to the modules, but this allows the user to see that webmin is on the machine. Further, if you enter a valid username but an invalid password, the system gives you an access denied error, thus, you can determine, based on the response from the system, what a valid username is and what an invalid username is. Webmin should respond identically whether it's a valid username or not.
Users are given an indefinite number of attempts at entering a valid password for a valid username. Other services send you to a default 'Access denied' URL or something to that effect, but webmin just keeps prompting for a valid password over and over if an invalid password is entered. This makes for simple password cracking attempts via brute force. Copyright 2010, SecurityFocus.