Apache has a very useful functionality called server-status that allows administrators to easily find how well their servers are performing.
It is basically an HTML page that displays the number of process working, status of each request, IP addresses that are visiting the site, pages that are being queried and things like that. All good.
However, this feature can also have security implications if you leave it wide open to the world. Anyone would be able to see who is visiting the site, the URLs, and some times even find hidden (obscure) admin panels or files that should not be visible to the outside.
Talk about an awkward moment.
URL mapping and server status
We started a small crawling project in our Labs that queried over 10m different web sites (some of the crawl data is at URLfind.org). And we noticed something very interesting: Lots of web sites (some big ones) keep their server-status page open the whole world.
Here are just a few popular brands showing their status:
http://php.net/server-status/
http://metacafe.com/server-status/
http://cloudflare.com/server-status/ (FIXED)
http://disney.go.com/server-status/ (FIXED)
http://www.latimes.com/server-status/
http://www.staples.com/server-status/
http://tweetdeck.com/server-status/ (FIXED)
http://www.nba.com/server-status/
http://www.ford.com/server-status/
http://www.cisco.com/server-status/
http://www.chicagotribune.com/server-status/
http://www.yellow.com/server-status/
http://apache.org/server-status/
And many many more here: http://urlfind.org/?server-status.
Is that a big deal that I can go to staples.com/server-status/ and see all those orders/connections being made and their IPs? Or go to one of them and search for “admin-p” and find a mostly unprotected admin panel (I won’t disclose the site). Or find all the internal URLs and vhost mapping for nba.com or ford.com?
Probably not a big deal by itself (well, if you don’t have an unprotected admin panel), but that can help attackers easily find more information about these environments and use them for more complex attacks.
Simple fix
For server admins, please disable server-status or restrict it to only a set of IP addresses that really need to use it. This link explains how to do so: http://httpd.apache.org/docs/2.2/mod/mod_status.html.
About Daniel Cid
Pingback: [Software] Apache Server Status
Pingback: Squid Reverse Proxy security gotchas | Marcus Povey
Pingback: Apache Server-Status Module Exposes User Data on the Internet | HOTforSecurity
Pingback: Are you running Apache? lockdown your system_status page | johnstone tech
Pingback: Popular Sites with Apache mod_status Enabled — Light Year SoftwareLight Year Software
Pingback: Apache Server-Status Publicly Viewable on Top Sites | infosec360
Pingback: Apache Server-Status Publicly Viewable on Top Sites
Pingback: Apache Server-Status Publicly Viewable on Top Sites « Cyber Security Aid
Pingback: Apache Server Setting Mistakes Can Aid Hackers | Exploit Archive
Pingback: Josh Michaels
Pingback: Out-of-date Software Affects Websites Big and Small | Sucuri Blog
Pingback: Çoğu Apache Web Sunucusu Popüler Websiteleri için Risk Yaratıyor | Özgür YILDIRIM
Pingback: InfoSec Institute Resources – The Recon-ng Framework : Automated Information Gathering
Pingback: 2012 Web Malware Trends Report Summary | Sucuri Blog