hi i’m just wondering if there’s a way to fix Web Server Allows Password Auto-Completion (PCI-DSS variant) password autocomplete on webmin? it’s coming up with a warning.
what I meant was is the password autocomplete issue needs fixing as it’s giving a warning. I’m also chasing this up as I haven’t had any replies.
Details:
Web Server Allows Password Auto-Completion (PCI-DSS variant)
Service ndmp running on port 10000/TCP (Webmin/Virtualmin)
Impact The remote web server contains at least HTML form field containing an input of type ‘password’ where ‘autocomplete’ is not set to ‘off’. While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or their machine is compromised at some point.
Resolution Add the attribute ‘autocomplete=off’ to these fields to prevent browsers from caching credentials
The way I worked around any problems related to Virtualmin (or other remote services) is by implementing a VPN and using this to gain access to a secure network and accessing these types of services internally. All service ports are closed externally but are open internally.
Keeps the PCI police at bay.
SR