PCI Compliance - Webmin/Usermin/MiniServ versions

SYSTEM INFORMATION
OS type and version CentOS Linux 7.9.2009
Webmin version 1.984
Virtualmin version 6.17

I’m currently getting a server setup to be ‘PCI Compliant’ - e.g. pass an automated PCI scan.

There is some documentation here (PCI Compliance – Virtualmin) but it appears to be out of date. I have used it as a starting point and think I now have everything running on TLSv1.2

One of the items is mentions is CVE-2020-8820 in Webmin <=1.941 - however I am running Webmin 1.984

The evidence the scan tool is showing is that requests to port 2000 show “Server: MiniServ/1.834” in the response headers. Am I correct in thinking this is a false positive as the MiniServ version on port 20000 is the Usermin version rather than the Webmin version?

Thanks,

  • Chris

Port 20000 is the default port for Usermin, yes. Your scanner apparently doesn’t know the difference.

Thanks - I’ll report it as a false positive. It’s not my scanner, it’s PCI DSS Compliance Programme | Clover - but I’m unfortunately having to deal with it :slight_smile:

I guess, it could be possible that I’ve configured Webmin to run on port 20000 instead of Usermin.

Perhaps you could have the option to remove the version info from MiniServ (like ServerTokens in Apache) or make it clear which product MiniServ is serving - e.g. MiniServ/Usermin/1.834 to make life easier for these automated tools, and in turn the sysadmins who have to fight with them.

another pci compliance test suite : Website Security Test | Security Scan for GDPR and PCI DSS Compliance
works with our virtualmin on :10000

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.