Apache Server-Status Module Exposes User Data on the Internet
Hundreds of websites running Apache with the mod_status module enabled are leaking information about the websites they host, the IPs of visitors and what resources they are interested in.
This discovery was made by researchers with security firm Sucuri after crawling 10 million websites and finding hundreds of status pages available on the internet. When enabled, the Apache mod_status module creates a “server status” page that displays certain pieces of information about the server’s CPU, memory load, user requests, IP addresses or paths to certain internal files.
Sucuri researchers explained that this status page can be very useful for server administrators while troubleshooting their boxes but they become a risk factor if the information listed there gets into the wrong hands. These server-status pages offer attackers a lot of information that can be used in targeted attacks if they poke around for unprotected administrator panels.
These status pages are available by simply adding /site-status to the URL of the website to be probed. If poorly configured, the Apache webserver would return a list of IP addresses and the content they have asked the server to fetch from them.
So, before you access websites you wouldn’t like people to know you’re visiting, or before adding sensitive comments to a blog, make sure that site-status is disabled, or somebody who knows your IP address could identify you and the content you visited or published.
At the end of the post, Daniel Cid, chief technology officer with Sucuri, offers a simple fix “for server admins: please disable server-status or restrict it to only a set of IP addresses that really need to use it. This link explains how to do so: http://httpd.apache.org/docs/2.2/mod/mod_status.html.”