Last week, we received a couple of security bug reports from Mike of bitcomsec (user bitcomsec here at Virtualmin.com) about our TWiki instance running doxfer.webmin.com, which is where most of the documentation for Webmin has resided for several years. There was at least one remote execution bug, and a number of XSS and other bugs in the version of TWiki we were running. TWiki had proven extremely fragile for us over the years, and I stopped upgrading it out of fear of breaking it…which led to an old version sticking around past when Virtualmin told me new versions were available.
Luckily, that wiki had its own virtual machine, with nothing of particular importance running on it, and had no sensitive data. And, as far as we know, no one with malicious intent ever exploited the account. That said, if you had an account on that old system and you used the same password you used on other sites, you should consider that password compromised and change it.
This only effects you if you created an account on doxfer.webmin.com to edit the TWiki wiki. Virtualmin.com has never had any connection to doxfer.webmin.com, they have always been on separate virtual machines, and shares no data.
OK, security stuff out of the way, this is a change I’ve been planning to make for ages. MediaWiki is a better fit for our needs and it’s been fun learning my way around it again (I have maintained MediaWiki sites in the distant past, but it’s gotten a lot of cool enhancements since then). The new wiki, while still being polished up and documentation updated, is already nicer than the TWiki wiki ever was, I think. And, of course, upgrading MediaWiki has historically been more reliable than my experience with TWiki has been.
So, check out the new Webmin wiki! http://doxfer.webmin.com
Me and Eric spent hours and hours over the weeked migrating and polishing up the content from the old wiki, and will continue to work on it indefinitely…now that we have a nice stable platform on which to build we’re hoping we can make the docs for Webmin better than ever. There are several new modules in need of docs, and several years worth of updates and enhancements to document in the modules that have existed for years. We’d love it if y’all would help out!
So, thanks to Mike at Bitcomsec for the heads up, and the impetus I needed to get my ass in gear on finally moving us to a new wiki!
PS-TWiki is a fine piece of software with a lot of cool features and capabilities. Unfortunately, it’s not the right tool for the Webmin documentation. So many of those features just got in the way of what we needed to do, and made seemingly simple things hard. MediaWiki is similarly large, but is much less enterprise-focused and more focused on allowed non-technical users to write documentation quickly. The difficulty we ran into while upgrading it was the final straw. And, to give credit where credit is due, the TWiki security process is great. They provide hotfix patches for all of the remote execution bugs on their website going way back to quite old versions, which is a great security practice that I appreciate. So, don’t let me talk you out of using TWiki…it has it’s place, but it’s not right for us.