How secure is VirtualMin? I have seen where virtual min had perl and other critical vulnerabilities however im currious as to the recent security. I understand part of it is how i configure and setup things. Does anyone have any hardening tips? I am about to buy VirtualMin Professional & install of a dedi! Glad to be a part of the community 
Our security history is public and it is competitive with or better than most control panel software on the market. The last exploit I would consider pretty serious was in Webmin 1.991 in 2022 (but that one didn’t effect users created in Virtualmin, so it was not really a Virtualmin security issue).
Most recent issues have been XSS issues, and XSS issues are mostly harmless, because you have to have an account with sufficient privileges and you have to click on a malicious link. Your attacker generally needs to know a lot about you and your server to make a successful attack via that path. I’m unaware of anyone being exploited via an XSS in Webmin…it’s more of a theoretical issue (though we fix them when reported, of course).
And, some reported vulnerabilities, including some that have been assigned CVEs in the past, simply aren’t security issues at all, because they require a root-level account in Webmin to “exploit” them…which is nonsense. Of course the root user can do things with root privileges on the system.
There is no such thing as perfectly secure software at this scale, but Virtualmin and all related software is actively maintained, and our response time to security issues has been quite fast, usually within a few hours of when it’s reported.
Anyway, Open Source software is eventually more secure than proprietary alternatives, and Webmin and Virtualmin have been Open Source for decades. A lot more eyes have looked at Webmin and Virtualmin than almost any other control panel. That’s not a guarantee of security, but more eyes is better than fewer.
I’d also recommend you search the forum, it’s been discussed many times.
2 Likes
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.