Steps to reproduce security concern
- Install a fresh Debian Jessie 8 at 64 bit
- Install a fresh Virtualmin
- Using your browser visit the IP address of your server. Such as http://123.123.123.123/
- The following page is display "Apache2 Debian Default Page". Screenshot attached.
- That page is display to anonymous users. It includes lots of information about your server. It also includes sub-pages which also include information about your server.
- The security concern is that immature people could abuse that information to exploit the server.
Suggested resolution
- During Virtualmin installation set the following folder to CHMOD Octal
0770
instead of0755
/var/www/html
In the previous version of Virtualmin and Debian that page was protected by default. In other words, not visible to anonymous users.
Status:
Active
Comments
Trying to re-upload the file. With new name. The first file did not work. Maybe the "---" in the first file name interfered with the display?
Submitted by andreychek on Sun, 11/08/2015 - 12:37 Comment #2
Howdy -- Virtualmin hadn't actually done anything with that default website in the past. If you're seeing a difference in that behavior, it's likely a change in what the distribution is doing.
While I'm not sure we feel this is a security issue (and if it was, that's something that you may need to discuss with the distribution maintainers), having this default website can sometimes cause some confusion, since Virtualmin doesn't manage sites in /var/www/html.
So maybe the best option here is to simply have Virtualmin remove any default website when being installed onto Debian and Ubuntu. That can be done with "a2dissite default"
I'll run that by Jamie, but I suspect we'll make that change in the Virtualmin installer shortly.