Add a security page
This commit is contained in:
Jamie Cameron
parent
c686cfab4e
commit
f472208894
23
SECURITY.md
Normal file
23
SECURITY.md
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Reporting Security Issues
|
||||||
|
|
||||||
|
Please send all reports of security issues found in Webmin to security@webmin.com
|
||||||
|
via email, ideally PGP encrypted with the key from https://www.webmin.com/jcameron-key.asc .
|
||||||
|
|
||||||
|
Potential security issues, in descending order of impact, include :
|
||||||
|
|
||||||
|
* Remotely exploitable attacks that allow `root` access to Webmin without
|
||||||
|
any credentials.
|
||||||
|
|
||||||
|
* Privilege escalation vulnerabilities that allow non-`root` users of Webmin
|
||||||
|
to run commands or access files as `root`.
|
||||||
|
|
||||||
|
* XSS attacks that target users already logged into Webmin when they visit
|
||||||
|
another website.
|
||||||
|
|
||||||
|
Things that are not actually security issues include :
|
||||||
|
|
||||||
|
* XSS attacks that are blocked by Webmin's referrer checks, which are enabled
|
||||||
|
by default.
|
||||||
|
|
||||||
|
* Attacks that require modifications to Webmin's code or configuration, which
|
||||||
|
can only be done by someone who already has `root` permissions.
|
||||||
Loading…
x
Reference in New Issue
Block a user