true, but anything can be reverse proxied by apache/nginx.
and maybe miniserv is also capable of supporting http basic auth… not sure, but why not?
Miniserv does support HTTP-like auth, but that’s not the recommended method—and honestly, I’m not even sure we still display that option anymore.
So, what problem are we trying to solve here—just making a glitchy scanner happy, maybe?
I too feel like it’s a glitchy scanner. I’m going the route of false positive and hope that satisfies them. But, if there was a way to resolve a glitchy scanner, that would be awesome. Thanks to everyone for the replies & support.
I’m not sure how many different scanners are out there. You can just install Kali Linux and use some of the packages there and put out your shingle. 
Think of it as being ahead of the curve. Why accept characters that aren’t valid when you have miscreants out there that have nothing better to do than find flaws that no one knows exists yet? Criminal organizations, state sponsored and/or just financially motivated, have lots of resources to throw at it. And, now they have AI help.
If it helps, just think of it as pissing off assholes and making them waste even more time.
@ID10T, I don’t disagree, however take a look at this:
@Jamie, what if nonsensical usernames were allowed only optionally, and by default usernames were filtered, like:
/^[\p{L}\p{N}_-]+$/;
1 Like
Virtualmin does not use nginx or Apache. Virtualmin is a module of Webmin which has its own web/app server, which is neither of those. Virtualmin manages Apache or nginx, but it does not run under either.
Also basic auth is trash (I mean, it’s fine for some things, but it’s definitely not more secure than what we’re doing in Webmin or what most web apps are doing).
Filtered where though? When logging in, or when creating a user?
No, the user that is being sent to, processed and returned by Miniserv in case of an error. Not registered—we don’t care about registered users at this point.
Or, even we could fail before the user and password are sent.
not that Virtualmin has to match its competitors, but do other control panels allow strange characters?
Does virtualmin use real Linux account under a specific group whereas other panels maintain a separate user database?
It’s not about what competitors do; it’s about what Linux itself allows.
Both, in fact.
This has annoyed me in the past but I guess it now makes sense now.
Auth fails, return nothing. Solves a lot.
I mean I suppose we could fail logins faster for odd usernames, but I really don’t see much point. If the user doesn’t exist, the login will fail. And Virtualmin lets you limit characters allowed in usernames if desired.
yes you’re right, but english is not my native language, so it wasn’t expressed properly. virtualmin manages/supports apache/nginx through webmin modules.
basic auth might be trash, but so many scanners/vulnerabilities wouldn’t be able to scan any webmin url (which is alread user-only, not public). and html would be available only after succesful login.
i think it would be a nice hardening option someplace. that’s just an idea to save some future annoyances like OP mentioned. (or, iirc, another vulnerability for webmin that was shown in openvas tests a few years back for no serious reason).
anyway, sorry for the noize,
2c.
I think here we can just make a small cosmetic change—since 99% of usernames are normal and don’t have special characters. On unsuccessful login, we can run the returned username through ^[\p{L}\p{N}_-]+$ regex, and if it doesn’t match, simply leave the username field empty. That way, we handle it in the simplest and most straightforward way.