Steps to reproduce security concern
- Install a fresh Debian Jessie 8 at 64 bit
- Install a fresh Virtualmin
- Using your browser visit the IP address of your server. Such as http://22.214.171.124/
- The following page is display "Apache2 Debian Default Page". Screenshot attached.
- That page is display to anonymous users. It includes lots of information about your server. It also includes sub-pages which also include information about your server.
- The security concern is that immature people could abuse that information to exploit the server.
- During Virtualmin installation set the following folder to CHMOD Octal
In the previous version of Virtualmin and Debian that page was protected by default. In other words, not visible to anonymous users.