Hi I noticed SecurityMetrics are flagging both webmin port 10000 and usermin port 20000 as having the HTTP trace function enabled and is causing PCI compliancy failures. I just wanted to know if there’s a way of either fixing them or disabling them manually.
Howdy,
Hmm, I’ve done some testing, and don’t seem to be able to reproduce anything that suggests HTTP Trace is enabled.
I’ve asked Joe for some more info on that just to be sure, and he tells me that Webmin and Usermin’s miniserv.pl process doesn’t support the TRACE method (that is, the TRACE functionality isn’t built into miniserv.pl).
Unfortunately, it sounds like what you’re seeing there is a false positive. I say “unfortunately” because I know how much a pain it is to convince a PCI company of that sort of thing 
-Eric
it seems to appear when you set redirect non https to https on.
In my testing, Webmin seems to be handling a “TRACE” by ignoring it, and treating it like a “GET”.
That’s true when using the redirect you mentioned above, or when using the HTTP or HTTPS modes.
I don’t see anything that suggests that the TRACE functions though.
It looks like Apache handles this by denying the request in some way, and not returning anything that suggests it worked.
I’m wondering if the PCI company is seeing a lack of an error, and thinking that this implies it worked?
Just to make sure Jamie can chime in on that, since I’d want him to be able to comment on whether that’s the best way to handle it – perhaps it’d be wise to open up a support request using the Support link above, and ask this same question there. Then we can be certain that’s really what’s going on, and verify that there isn’t a different way things should be handled.
Thanks!
-Eric
Actually, scratch that – I just emailed Jamie, and asked him to take a look at this when he has a moment.
So you don’t need to do anything, Jamie will take a peek and respond.
-Eric
Webmin will indeed treat any known HTTP request method as the same as GET - even a TRACE request.
So I looked into this some more, and since Webmin never uses a TRACE request I will just reject them completely in the next release. That should solve this PCI scan issue.
Any chance of an eta on this or even as a small hotfix? The PCI Compliancy company are refusing to certify until the issue has been fixed.
You can see the code change at https://github.com/webmin/webmin/commit/ab1095e529db0728530497856c45466b7d10dc7c
nice. is there any version I could download for usermin and webmin with these changes as a centos rpm?
No, not yet. You would need to manually apply that fix, and then run /etc/webmin/restart
it worked! The PCI Compliancy test passed! I had to apply the fix to both the webmin and usermin miniserv.pl files for the compliancy check to pass for example /usr/libexec/webmin/miniserv.pl
& /usr/libexec/usermin/miniserv.pl for centos. Both had to be modified.