Vulnerabilities

5 posts / 0 new
Last post
#1 Sun, 01/17/2010 - 12:29
kthxbai2u

Vulnerabilities

http://www.securiteam.com/unixfocus/5WP0E1PRQM.html

What say ye about that? I read that and started looking for other control panels lol....

Can someone make me feel secure once again about virtualmin? Did they fix all that?

Sun, 01/17/2010 - 12:44
ronald
ronald's picture

Did you also read on that same page:
Immune Systems:
* Virtualmin version 3.70

Disclosure Timeline:
21/06/2009: Detailed information with examples and PoCs sent to the vendor.
24/06/2009: Initial vendor response.
25/06/2009: Few more vulnerabilities with examples and PoCs sent to the vendor.
26/06/2009: Hot fix for the mysql module released by the vendor.
05/07/2009: New version of the Virtualmin with fixes released by the vendor.
14/07/2009: Security bulletin released.

So yes it's fixed as of 3.70 (current version is 3.76)

Sun, 01/17/2010 - 12:46
kthxbai2u

Oh sweet... I tend to read the bad stuff, freak out, and then i miss things...

Are there any known vulnerabilities in the current version as of yet?

Sun, 01/17/2010 - 12:47
andreychek

Howdy,

About the only thing that I can assure you of is that if you're using software written by humans, there will be some occasional security issues :-)

If you look at other control panels (or, any kind of software in general), you'll also notice security issues there as well.

The thing is that problems get fixed -- and in the case you're mentioning, that was all over 6 months ago.

So, as is mentioned in the report you linked to, those issues were all fixed in Virtualmin version 3.70. Running the most current version is always recommended.

Also, at the bottom of the security report you were looking at, they describe the process of working with the Virtualmin folks to resolve all that. The issues were all resolved within 2 weeks, with a hotfix for the most serious vulnerability being released sooner.

-Eric

Sun, 01/17/2010 - 13:31
kthxbai2u

I know that every program will have flaws in it... I just thought of that while sittin on the crapper... lol. Looks like virtualmin wins :D

Topic locked