Apache Server-Status Publicly Viewable on Top Sites

A vast number of websites ranging from obscure to quite popular have left an Apache Web server functionality called server-status enabled and publicly accessible. The care-less implementation of this module, Securi CTO Daniel Cid warns in a write-up on Securiblog, could give potential attackers valuable information to help launch targeted attacks.

ApacheA vast number of websites ranging from obscure to quite popular have left an Apache Web server functionality called server-status enabled and publicly accessible. The care-less implementation of this module, Securi CTO Daniel Cid warns in a write-up on Securiblog, could give potential attackers valuable information to help launch targeted attacks.

Server-status is an Apache module that gives administrators the ability to monitor server activity and performance through an HTML page that displays server statistics in an easily readable format. The module presents to admins various important data points, including the number of server requests and idle workers, the status of each worker and the number of requests each has performed as well as the average number of bytes per request, the amount of time the server has been running, and various other information depending on whether the extended status configuration is enabled.

The server-status module can be a helpful tool for administrators seeking to quickly determine how well a server is performing. The problem in this case, Cid and his colleagues determined after performing a crawling project on more than 10 million websites, is that the server-status page on a number of websites, recognizable brands among them, is publically accessible.

Cid admits that the mistake here may seem a bit trivial, but he explains that potential information gleaned from server-status pages can help attackers plan and launch complicated attacks.

At the time of his publication on Tuesday, Cid listed php.net, metacafe.com, cloudflare.com, Disney.go.com, latimes.com, staples.com, tweetdeck.com, nba.com, ford.com, cisco.com, chicagotribune.com, yellow.com, and apache.org. A number of these sites including Cloudflare, Disney, and TweetDeck, have fixed the configuration of their server-status pages since Cid’s publication.

For server admins with their server-status pages open, Cid advises them to either disable server-status altogether or restrict access to it based on the IP addresses of those who actually need to use it.

Suggested articles