Hundreds of websites running Apache with the mod_status module enabled are leaking information about the websites they host, the IPs of visitors and what resources they are interested in.
This discovery was made by researchers with security firm Sucuri after crawling 10 million websites and finding hundreds of status pages available on the internet. When enabled, the Apache mod_status module creates a â€œserver statusâ€ page that displays certain pieces of information about the serverâ€™s CPU, memory load, user requests, IP addresses or paths to certain internal files.
Sucuri researchers explained that this status page can be very useful for server administrators while troubleshooting their boxes but they become a risk factor if the information listed there gets into the wrong hands. These server-status pages offer attackers a lot of information that can be used in targeted attacks if they poke around for unprotected administrator panels.
These status pages are available by simply adding /site-status to the URL of the website to be probed. If poorly configured, the Apache webserver would return a list of IP addresses and the content they have asked the server to fetch from them.
So, before you access websites you wouldnâ€™t like people to know youâ€™re visiting, or before adding sensitive comments to a blog, make sure that site-status is disabled, or somebody who knows your IP address could identify you and the content you visited or published.
At the end of the post, Daniel Cid, chief technology officer with Sucuri, offers a simple fix â€œfor server admins: please disable server-status or restrict it to only a set of IP addresses that really need to use it. This link explains how to do so: http://httpd.apache.org/docs/2.2/mod/mod_status.html.â€