Multiple security flaws in Virtualmin?

I was disturbed to learn recently that Virtualmin had multiple, root level security flaws, as identified by the folks:

They have been testing control panels that are alternatives to cPanel in view of the massive price increase from cPanel Inc. My motivation for switching to Virtualmin was also the same, but now it seems the software is not secure enough.

I understand that these flaws can be fixed, but I would like to know what is the plan for identifying and fixing such flaws, going forward.


Just to follow this thread. This has been fixed some time ago but the mentioned post is discussing others too…

And here should be some information to as they are consequent. ( some links are not updated as should with information?)

You have to github and

Still i know that is not the answer on your question, for future use important one thank you…
I understand that these flaws can be fixed, but I would like to know what is the plan for identifying and fixing such flaws, going forward.

I asked once to have separate security part here in forum , but this used forum system seems hard for such changes :wink:

Found a new security bug? Report it at

Curious meaning of this while does it mean if LOGGED in users that should be trusted while they can get root… or worse?
I would not use that in an untrusted environment.

The official pages really lack some love :slight_smile: That is all I am willing to say as I am not the kind that turns it’s back to any software that has a security flaw, either a programming bug or somehow injected by a “bad actor”. That is just bad acting. But there should be a very well maintained security area here, on

That post said they’ve contacted us with details, but I can’t find any related emails in the security@webmin account, so I’m not sure how to proceed. I followed up in the forum there, but haven’t heard back yet.

We try to respond to security reports very quickly, as I hope folks who’ve been around for a while know, but so far I don’t think we’ve gotten any details of the issues mentioned.

Oh, actually, he contacted Jamie directly. So, “we” are aware of them, and Jamie is working on validating the reported issues.

Noted. Know that your community is with you, stuff like that happened to literally everyone.

Thanks for your effort and take the time you need to iron things out.

I lost a good customer because he got hacked through a proftpd known problem.

They sorted it later, even told them about it about a year before.

To be honest these guys are cowboys with potential.

Just 1 server with VM now. All are ISPConfig.

They will probably retire the whole thing soon.

Jamie is looking at it???

Looking at it. Christ are any servers safe using your software it is a simple YES or No.

Maybe I should have started it with Howdy Cowboy.

@Welshman you always have been intellectually challenged. It is nice to see it get worse.

Just a Genius dude.

No one listens. Jesus had the same problem.

No tits in the gif man? Well just one.

Actually S4C people always worried me.

Fakemoth get on the irc dude.

There now, careful it is packed with users ( 13 )

Since there’s far more noise than substance in this thread, I’m going to go ahead and close it.

The key point to take though is that the security issues mentioned in the original post are being looked into, and if there is indeed an issue we’ll post a news blurb on the matter as well as push out an update fixing them. None of us want security issues, and if there is one it’ll be fixed.

If anyone wants to have an actual technical discussion, please feel free to open a new thread though :slight_smile: