Results 1 to 3 of 3
  1. #1
    Join Date
    Feb 2005
    Location
    Norway
    Posts
    1,641

    Exclamation Security issue with Virtualmin/webmin - clear text password in logfile.

    Hello, trying to see if anybody here at WHT know about this, and/or have any solution for it.

    I use Virtualmin 4.04 on CentOS 6.5 and when I setup a new Virtualmin server I always use the "hashed password" option.
    Thats fine, and I can see that my Virtualmin users, FTP/mail/SSH passwords is hashed. All is OK.

    I use Scheduled backups on my main servers. I use several FTP accounts to store Virtualmin backups.

    Some days ago I did look at my logfiles, and then when I look at /var/webmin/webmin.log I did see several lines with all my FTP account info in clear text.
    Every time Virtualmin takes a auto backup, it store all the login info in the webmin.log file.

    It's stored as ftp://username:[email protected]/backup folder.
    And it's in clear text, not hashed, but clear.

    This can not be good. A log file containing all my important login info for all my backup servers. If one of my main servers is hacked, they can simply find any login info, and delete all my backup files.

    As a temp solution, I have created a script that deletes the webmin.log file every minute. Not the best solution, but it works for now.

    Do any of you experts out there have any idea why password is stored in clear text in webmin.log when I clearly have chosen to use hashed password in Virtualmin. And anybody know how I can avoid this issue?

    Here is three images of the issue so you can see what I'm talking about:
    Image 1: Setting up a backup in Virtualmin
    Image 2: The logfile, you can see all my FTP login info
    Image 3: As you can see, Virtualmin users are protected by hashed passwords, so it's activated on the server.

    Any advice?
    My Top 20 benchmark list (and review site)
    Powered by: Kimsufi, backed up by: Hetzner, DigitalOcean and Vultr.com
    Also using
    SolaDrive.com (45+ months), KnownHost.com (45+ months)

  2. #2
    Join Date
    Feb 2005
    Location
    Norway
    Posts
    1,641
    Nobody with any advice on this issue? Only me that are using Virtualmin?
    My Top 20 benchmark list (and review site)
    Powered by: Kimsufi, backed up by: Hetzner, DigitalOcean and Vultr.com
    Also using
    SolaDrive.com (45+ months), KnownHost.com (45+ months)

  3. #3
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    I'm using it, but I was not aware of that issue. I'll surely check it out and look into it myself.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

Similar Threads

  1. webmin / virtualmin and security , secure a vps
    By lifeisnice in forum Hosting Security and Technology
    Replies: 2
    Last Post: 11-26-2012, 08:41 AM
  2. True RAM of VPS webmin - Virtualmin webmin
    By khucthuydu in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-11-2010, 10:10 PM
  3. display password in clear text
    By ryan14 in forum Programming Discussion
    Replies: 14
    Last Post: 02-18-2010, 02:20 AM
  4. Webmin / Virtualmin
    By nostra999 in forum Dedicated Server
    Replies: 0
    Last Post: 04-03-2007, 03:48 AM
  5. help with webmin/Virtualmin
    By kks787 in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 09-08-2004, 04:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •