There is a serious webmin security flaw see http://bliki.rimuhosting.com/space/knowledgebase/linux/miscapplications/webmin to see how you could be affected by this.

Looks like it affect versions below: 1.290

http://www.webmin.com/security.html

Artbitrary remote file access
Effects Webmin versions below 1.290, and Usermin versions below 1.220, on any operating system.
An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.
Thanks to Kenny Chen for bringing this to my attention.

I understand unvalidated input, buffer overflows, etc. What I don't understand is how a product as good as Webmin can have such a simple vulnerability. I don't care how clever the crook is, the rule should be - if you don't have a correct password, you don't get in. Until a correct password is provided, Webmin should not be parsing URL's, or anything else that might lead to trouble.

I've set the firewall on my server to allow access on port 10000 *only* from my own IP address. Hopefully the folks who wrote iptables won't be as stupid!

Sorry for what might be a rant on an inappropriate forum, but I couldn't find any discussion of this problem elsewhere.

-- Dave

I updated that webmin link with a bit of info about running webmin just on the localhost interface (and accessing it via an ssh tunnel).

As to how these problems occur perhaps an email to jcameron @ webmin.com may help shed some light on the matter.

Why is access through SSH any more secure than through the Webmin login?

The instructions at http://bliki.rimuhosting.com/space/knowledgebase/linux/miscapplications/webmin are not clear. Under Webmin Configuration - Ports and Addresses, I can only enter an IP address, not "localhost". Should I enter the IP address of the external interface?

I updated the howto. Thanks for the input.

OK, Webmin will accept 127.0.0.1 as an only address, but now I'm finding that setting up an SSH tunnel each time I want to use Webmin is a bit of a pain in Putty. It won't remember the tunnel settings. You have to type them in each time.

I'm finding that it's much easier to use the firewall to limit access to Webmin. I've put two lines in my firewall setup script, allowing access to port 10000 from only two IP addresses.
# Webmin - restricted access DMQ 8/17/06
allow_inbound ext tcp 10000 -s 216.183.71.68 # dave
allow_inbound ext tcp 10000 -s 66.238.150.200 # max

We should be able to do this in Webmin, but for some reason it won't let me enter more than one address in the Ports and Addresses form. Also, I'm not sure I trust Webmin any more. The firewall program is probably much more robust.

Has the latest version of webmin (which presumably does not have this security vulnerability) been added to the Rimuhosting repositories? If not, why not? Is it a concern about testing?

EDIT: I see on your bliki that you have posted instructions on how to perform an upgrade of webmin, so I will leave it there.

And yes, the webmin version in the apt repositories we control (wbel3 and rhel4) is the latest.