I have to confess, I'm the one responsible for the first comment in the talkback section. I wrote a longer comment, but after proofreading it, I realized that only fellow monks would appreciate it and reduced it to PHB reading level.
I stand by my original claims about webmin. Not only is it poorly-written by today's standards, it leads to even scarier code when in-house development begins. I haven't tested this thoroughly, but if I recall correctly, taint mode is ineffectual because of the way miniserv.pl runs the module code. Another gripe: there is a lot of code that touches critical system data that I would only reluctantly trust to well-respected CPAN modules and does so in ways that lead to easily avoidable errors like duplicate records in system user databases.