I’m currently getting a server setup to be ‘PCI Compliant’ - e.g. pass an automated PCI scan.
There is some documentation here (PCI Compliance – Virtualmin) but it appears to be out of date. I have used it as a starting point and think I now have everything running on TLSv1.2
One of the items is mentions is CVE-2020-8820 in Webmin <=1.941 - however I am running Webmin 1.984
The evidence the scan tool is showing is that requests to port 2000 show “Server: MiniServ/1.834” in the response headers. Am I correct in thinking this is a false positive as the MiniServ version on port 20000 is the Usermin version rather than the Webmin version?
Thanks - I’ll report it as a false positive. It’s not my scanner, it’s PCI DSS Compliance Programme | Clover - but I’m unfortunately having to deal with it
I guess, it could be possible that I’ve configured Webmin to run on port 20000 instead of Usermin.
Perhaps you could have the option to remove the version info from MiniServ (like ServerTokens in Apache) or make it clear which product MiniServ is serving - e.g. MiniServ/Usermin/1.834 to make life easier for these automated tools, and in turn the sysadmins who have to fight with them.