Shared publicly  - 
 
Apache's real time server-status publicly available on MANY big sites
Please share and raise awareness

Late yesterday, securing my server, I 'got onto' an issue. I discovered that a large number of Apache based web sites were publicly displaying their real-time server status to anyone who asked for it. My blog post is here: http://thepileof.blogspot.com/2012/03/apaches-server-status-vfolder.html , a blog I keep just to post random stuff.

My first test was to wired.com, which showed me - much to my surprise - a full status of that server (they are load balanced I believe), along with all IPs connected to it, what pages they are retrieving, etc... (normal Apache status).

I then tested Apache.org 's site. It turns out they are not setting a great example, as I got a full listing from it too. hXXp://apache(dot)org/server-status

I tested more and found The Washington Post's web site was also vulnerable. hXXp://washingtonpost(dot)com/server-status

hXXp://wired(dot)com/server-status continues to be an issue to this time, BUT it depends on which server you hit. The other two are still fully open, despite surely a lot of IPs hitting their status pages by now.

hXXp://php(dot)net/server-status is another.

Essentially, mod_status, classified as 'base' (included by default), is the culprit. Of course, everything in Apache is implemented as a module that can be either statically or dynamically linked, but this particular module is a default one.

Who cares?

1. Sites that pass secure credentials on the query string via GET requests, under the assumption that nobody else is seeing the GET requests in REAL TIME.
2. Sites that use security through obscurity by using unique folder and file names.
3. Imagine the privacy concerns, as all client IPs, and what they are visiting is reported. These pages can be polled and a very accurate picture of the site and its visitors can be formed.
4. More information about the server means more information for an attacker. They get lots of information about the server load, clients, and even additional information with appended parameters like ?auto in some cases.

How to fix?
See the above blog post of mine for more information - http://tinyurl.com/6t2bf8r

I announced this rather haphazardly. Through a slew of edits, it kinda/sorta got out there, but I'd like to announce this problem again. It is mostly a lack of awareness.

I just tested a handful of sites - there are surely countless sites with this wide open, if my small scale tests are ANY indication.
1
1
Jeremy Collake's profile photo
 
Let's hope this spreads ;). I've done my part, now back to work.
 
UPDATE: I've updated the blog post that goes into a little more depth, and added php.net to the list of sites I know to be vulnerable. I am not going to go searching the whole web for them, I just tested it because there was a PHP update today, lol. Anyway, I am very surprised at the lack of concern. The servers I pointed out have still yet to be fixed. This is why we have so many security problems today ... complacency.
Add a comment...