COMMAND

    webmin

SYSTEMS AFFECTED

    Linux

PROBLEM

    Jiva DeVoe  found following.   The last  version of  Webmin has an
    error which  allows users  to both  guess the  valid usernames and
    attempt  brute  force  password  attacks  against machines running
    webmin.

    If you  enter an  invalid username  in the  username and  password
    prompt displayed by Webmin, you are allowed in to the webmin  main
    screen.  You don't have access to the modules, but this allows the
    user to see that webmin is on the machine.  Further, if you  enter
    a valid username but an invalid password, the system gives you  an
    access  denied  error,  thus,  you  can  determine,  based  on the
    response from  the system,  what a  valid username  is and what an
    invalid username  is.   Webmin should  respond identically whether
    it's a valid username or not.

    Users are  given an  indefinite number  of attempts  at entering a
    valid password for a valid  username.  Other services send  you to
    a default  "Access denied"  URL or  something to  that effect, but
    webmin just keeps prompting for a valid password over and over  if
    an invalid password  is entered.   This makes for  simple password
    cracking attempts via brute force.

SOLUTION

    The developers of webmin have already released an updated  version
    of webmin which fixes these problems.  It is available at:

        http://www.webmin.com/webmin/download/webmin-0.5.tar.gz