VirtualMin and WebMin Fail PCI Compliance audits on ports 20000 and 10000

6 posts / 0 new
Last post
#1 Thu, 11/01/2012 - 14:33
katir

VirtualMin and WebMin Fail PCI Compliance audits on ports 20000 and 10000

We are trying to be PCI compliant and though no banks are breathing down our necks, we have to keep at it. We are close to solving problems on ports 80 and 443 on our sites, -- mostly we need to sanitize $_POST and $_GET strings to prevent JS and SQL injection before touching the data.. but that's easily done.

We getting major failures for ports 20000 and 10000 where VirtualMin/WebMin/UserMin are running.

I'm not sure where to begin to tackle these issues, as obviously I don't have control over the code for those web apps.

I guess it would help to see what those errors are but I'm not comfortable attaching output here. I suppose I could make this a private post but i thought to start making this open to see if others have already addresses this same issue.

Thu, 11/01/2012 - 14:58
katir

Well I should have talked in depth to Security Metrics in the first place. They are now telling me, if we are willing to make a statement that no credit card information every passes over ports 20000 and port 10000 then they will remove the flags from the audit.

Thu, 11/01/2012 - 15:11
andreychek

Howdy,

I would be interested in seeing the output you received, if you're comfortable with that. Feel free to mark the post as private.

While you could of course just tell them you don't be doing any credit cards on those ports, I'd be curious to see what the issues are.

-Eric

Thu, 11/01/2012 - 15:25
katir

OK please confirm that this this thread is now private... I'm not sure I edited the original post, made it private, but I only see a lock on the post and not these comments.

Thu, 11/01/2012 - 16:14
andreychek

Yup, you can only lock the initial post... once you do that, it means only the Virtualmin staff can see the entire thread (unless someone else had posted a comment, in that case they would be able to see it too... but that's not the case here).

Thu, 11/01/2012 - 16:57
katir

You system will not accept my attempts to attach with at .txt file or .pdf file.

Topic locked