Skip to content

Security: tgurr/webmin

Security

SECURITY.md

Reporting Security Issues

Please send all reports of security issues found in Webmin to [email protected] via email, ideally PGP encrypted with the key from https://www.webmin.com/jcameron-key.asc .

Potential security issues, in descending order of impact, include :

  • Remotely exploitable attacks that allow root access to Webmin without any credentials.

  • Privilege escalation vulnerabilities that allow non-root users of Webmin to run commands or access files as root.

  • XSS attacks that target users already logged into Webmin when they visit another website.

Things that are not actually security issues include :

  • XSS attacks that are blocked by Webmin's referrer checks, which are enabled by default.

  • Attacks that require modifications to Webmin's code or configuration, which can only be done by someone who already has root permissions.

There aren’t any published security advisories