• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Popular sites with Apache server-status enabled

October 30, 2012Daniel Cid

FacebookTwitterSubscribe

Apache has a very useful functionality called server-status that allows administrators to easily find how well their servers are performing.

It is basically an HTML page that displays the number of process working, status of each request, IP addresses that are visiting the site, pages that are being queried and things like that. All good.

However, this feature can also have security implications if you leave it wide open to the world. Anyone would be able to see who is visiting the site, the URLs, and some times even find hidden (obscure) admin panels or files that should not be visible to the outside.

Talk about an awkward moment.

URL mapping and server status

We started a small crawling project in our Labs that queried over 10m different web sites (some of the crawl data is at URLfind.org). And we noticed something very interesting: Lots of web sites (some big ones) keep their server-status page open the whole world.

Here are just a few popular brands showing their status:

http://php.net/server-status/
http://metacafe.com/server-status/
http://cloudflare.com/server-status/ (FIXED)
http://disney.go.com/server-status/ (FIXED)
http://www.latimes.com/server-status/
http://www.staples.com/server-status/
http://tweetdeck.com/server-status/ (FIXED)
http://www.nba.com/server-status/
http://www.ford.com/server-status/
http://www.cisco.com/server-status/
http://www.chicagotribune.com/server-status/
http://www.yellow.com/server-status/
http://apache.org/server-status/

And many many more here: http://urlfind.org/?server-status.

Is that a big deal that I can go to staples.com/server-status/ and see all those orders/connections being made and their IPs? Or go to one of them and search for “admin-p” and find a mostly unprotected admin panel (I won’t disclose the site). Or find all the internal URLs and vhost mapping for nba.com or ford.com?

Probably not a big deal by itself (well, if you don’t have an unprotected admin panel), but that can help attackers easily find more information about these environments and use them for more complex attacks.


Simple fix

For server admins, please disable server-status or restrict it to only a set of IP addresses that really need to use it. This link explains how to do so: http://httpd.apache.org/docs/2.2/mod/mod_status.html.

FacebookTwitterSubscribe

Categories: Security EducationTags: Server Security, Webserver Infections

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. John B. Roberts

    October 30, 2012

    Daniel, you can remove cloudflare.com from that list. We (re)closed that hole after seeing your post. Good nudge. ;-p

    John
    CloudFlare

    • Daniel B. Cid

      October 30, 2012

      Removed now. thanks!

      • Sasha

        October 31, 2012

        It’s still in the blog post above.

        • Tony Perez

          October 31, 2012

          Hi Sasha

          Yes, we’ve removed the link and assigned it as fixed. Are you seeing the fixed? Could be cached.

          Thanks

  2. Daniel Rener

    October 30, 2012

    Looks like CloudFlare fixed theirs. It redirects to their homepage now.

  3. Wordpress Arena

    October 30, 2012

    this is really very useful tip..going to close for my site as well… great project from securi lab

    • Tony Perez

      October 31, 2012

      No worries, glad it helps.

  4. cabbey

    October 30, 2012

    The folks with the unprotected admin console probably think they are safe because it’s in robots.txt as globally disallowed. 😉

    • Carl Bennett

      October 31, 2012

      😉

  5. jobicoppola

    October 31, 2012

    Looks like nba.com is fixed as well, now returns a 403…

    • Tony Perez

      October 31, 2012

      Still shows up here. There’s is one of the worst ones, you can see modules installed etc..

      • jobicoppola

        October 31, 2012

        Yep still there, I had left out the trailing slash…

      • Julian

        October 31, 2012

        Heh worse than that you can see that they get almost no traffic 🙂 3 connections and 1021 idle workers, ouch!

      • jobicoppola

        October 31, 2012

        fwiw, getting 404s for http://www.nba.com/server-status/ now…

  6. EliteParakeet

    October 31, 2012

    Do you know if Nikto detects this?

    • Tony Perez

      October 31, 2012

      Have no idea.. haven’t tried running nikto on them to see.

  7. Brad Choate

    October 31, 2012

    http://apache.org/server-status/

    • Tony Perez

      October 31, 2012

      Oh Brad, that’s classic. Thanks, added to the post.

  8. sparroww

    October 31, 2012

    looks like mod_security takes care of it. My servers return 403s.

  9. Marcus Povey

    October 31, 2012

    I mentioned this in the hacker news thread on the subject, but beware when running Squid (or similar) in reverse proxy mode (which is pretty common, and may be what happened to at least some of the sites here).

    Many default apache configurations already limit requests to localhost, but if you run a reverse proxy then unless you take additional measures you can risk exposing this sort of restricted info, since apache will see all requests appear to originate from the proxy, which typically is running on localhost.

  10. Ludovic Urbain

    October 31, 2012

    1. hiding server-status will make no difference *if* your system is secure to begin with

    2. the real fix is [Deny from all] for everything, [Allow from all] for specific resources, and [Allow from localhost] for admin stuff, accessed by ssh if required at all – And it fixes much much more than just server-status.

  11. PDL

    October 31, 2012

    nba.com is fixed.

  12. U̶ɴ̶ᴠ̶ᴇ̶ʀ̶ɪ̶ғ̶ɪ̶ᴇ̶ᴅ

    November 1, 2012

    PHP.net is fixed as well

  13. Christopher Hartley

    November 1, 2012

    Reveals pushdo infectees 🙂 1-048496840/18/18_10.5812300.00.460.46 118.101.101.30 defaultPOST /?ptrxcz_llmmmmmmmooooooopppppppqqqqqqq HTTP/1.1
    for instance.. (118.101.101.30 is infected) – a public service, in a way.

  14. Lars

    November 1, 2012

    In the case of apache.org we do have a public server-status page intentionally.

  15. Jake Johnstone

    November 2, 2012

    Heres a google dork that will find the page in question intext:”Apache Server Status for”

  16. Steve Madsen

    November 2, 2012

    To be fair to these server admins, this might not be their fault. I tracked down the problem on two sites I control to a LimitExcept directive. Is this actually an Apache problem? At the very least, the documentation does not warn about this.

    (I blogged about it in more detail at http://lightyearsoftware.com/2012/11/popular-sites-with-apache-mod_status-enable/.)

  17. jimmycricket

    November 2, 2012

    So google’s “Cached Page” option still lists everything from ‘fixed’ sites. dunno if notifying them would help or not…

  18. pieboy007

    November 24, 2013

    no its still working

  19. Anshuman Aggarwal

    December 13, 2013

    Ummm…duh that’s called demonstrating your features for apache…they have nothing to hide and as an open source project its in the spirit of openness 🙂

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.