PCI Compliancy Failure Issues

Also Affects Webmin Core

PCI Compliancy Failure:

Details:
Password Autocomplete is on when it should be off
session cookies aren't set to httponly and secure

These issues need fixing as they are causing compliancy failures in PCI DSS 3.0 and 3.1

Files Affected: (List related to debian Jessie but affects all versions)
/usr/share/webmin/authentic-theme/session_login.cgi
/usr/share/webmin/session_login.cgi

Status: 
Closed (fixed)

Comments

Ilia's picture
Submitted by Ilia on Sun, 01/10/2016 - 16:26

Just read about this issue. Missed that for 17.40, very sorry. I will take a look at it o the next closes release.

Are you sure it's Authentic Theme bug?

Ilia's picture
Submitted by Ilia on Mon, 01/11/2016 - 02:51

Hi,

Please add this piece of code to the theme extension (JS), to prevent autocomplete on login screen:

$(function () {

        // Prevent passwords autocomplete on login screen
        if ($("html.session_login").length) {
                $(".form-control.session_login").attr("autocomplete", "off");
        }
});
session cookies aren't set to httponly and secure

It it the theme that has to take care about this?

it didn't fix the issue as it's still failing.

Ilia's picture
Submitted by Ilia on Thu, 01/14/2016 - 13:06

Then it has to directly be added to HTML on session_login.cgi file. It will be done in next release.

You could go to the mentioned file and add to <input type="password"> this autocomplete="off" .

Does it fix your problem?

yes but not the httponly and secure cookie flags. They are still being flagged up.

Not being funny these were reported several times and still not fixed.

Ilia's picture
Submitted by Ilia on Fri, 01/15/2016 - 01:30

And was there a problem in the previous theme, with httponly and secure cookie flag?

no only autocomplete caused compliancy issues. That was caused by the webmin core. Which is still like that now. it's never been fixed.

Ilia's picture
Submitted by Ilia on Sun, 01/17/2016 - 02:07

I will read more about those standards and in case it's technically possible, I will try to fix it.

Can I run it on my PC to check for results and what is the practical point of having those tests passed?

you'd have to use a provider like securitymetrics to run the tests.

Ilia's picture
Submitted by Ilia on Thu, 03/31/2016 - 16:18

I believe I have done all I could on the theme's side (by not saving the login and the password).

I'm closing this issue. If you think I can do more on the theme's side (not Webmin), feel free to re-open it in the future.

Ilia's picture
Submitted by Ilia on Thu, 03/31/2016 - 16:18

Status: Active » Closed (fixed)