Webmin uses the miniserv.pl server. During an audit, the security testing company claimed that it allows files in Webmin directories to be listed. Unfortunately, I could not find a way to disable listing in the miniserv.conf file. With Apache, this is easy to do using the .htaccess file. However, this does not work here.
For example, if I enter the address https://server.com:10000/unauthenticated/js/ or similar in my web browser, I get the contents of this directory:
This is potentially dangerous because a hacker can check the contents of the directories. I have several servers with Webmin installed, and the problem occurs on all of them. For security reasons, it should not be possible to list directories.
Is there any way to block file indexing on the miniserv.pl server?
I have limited experience with these reports. Do they give a more detailed explanation of the query used? I tried a few things and find nothing in searches that hint of this. I can’t get past the login screen.
Many times these people run scripts that they have NO clue what’s happening. They just run the script/program, send you the report and bill. I had one that said “IF” they had more time they could have actually proven what they claimed.
One listed RH provided packages as vulnerable based solely on version number. Of course RH provides updated and patched variants.
I think you should clarify this with your team. Unless you are logged into Webmin you cannot browse anything. If there is anything different to this it is a bug and needs patching with some urgency.
Those files are intentionally available unauthenticated. Which is why they are in a directory called “unauthenticated”. They are JavaScript libraries and don’t require authentication. They are not sensitive files.
But, if you want no indexes, you can do that in the obvious place: Webmin->Webmin Configuration->Web Server Options->List directories without an index file
Thank you very much! It works perfectly. I couldn’t find this option. I searched through the configuration files instead of looking through the Webmin configuration page.
P.S. I have been using Webmin for years and have never had an attack or even an attempted attack due to file indexing. I know that it does not pose any threat. However, the auditing company requested that the indexing option be removed.
i have seen perl errors.
so i think you are asking for per errors in Webmin but would only expect them to be visible within Perl code - and who writes that (staff and devs only) i suspect.
to clarify that post - i have only seen perl errors from within webmin/virtualmin gui and probably have reported such in the forum.
i do not remember ever seeing them outside a logged in app
I guess because all standard Webmin modules have an index.cgi file, so directory listing pretty much never happens. And even if it does, since this is an open-source package the contents of any Webmin directories are hardly a secret.
Right. But having it disabled by default won’t hurt either. I suggest we disable it by default as it isn’t the first time this issue is brought up.
