Apache /server-status accessible

It’s possible to disable apache-status from outside ?

Thanks !!

Summary

Requesting the URI /server-status provides information on the server activity and performance.
Vulnerability Detection Result

Vulnerable url: https://xxxxx.com/server-status

Impact

Requesting the URI /server-status gives throughout information about the currently running Apache to an attacker.

Solution type: Mitigation

  • If this feature is unused commenting out the appropriate section in the web servers configuration is recommended.
  • If this feature is used restricting access to trusted clients is recommended.

Affected Software/OS

All Apache installations with an enabled ‘mod_status’ module.

Vulnerability Insight

server-status is a Apache HTTP Server handler provided by the ‘mod_status’ module and used to retrieve the server’s activity and performance.

1 Like

Confirmed on a recent install. That’s odd, the module seems to be correctly configured
cat /etc/apache2/mods-enabled/status.conf

Listen 127.0.0.1:8081
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
    Allow from all
</Location>

Also confirm it, we will gonna remove this module with the next release from all systems. Commit will follow shortly.

Apache mod_status will now be disabled on the next release also including fresh installs: https://github.com/hestiacp/hestiacp/commit/874e3c9261e6e5b8be79c019c17a0a33306118d6

Thanks for the report, didnt know that this was enabled!

It was used previously for the reporting inside Server > Show CPU/Mem/Disk > Web
Or https://domain.com:8083/list/server/?web

If you remove the last line from status.conf, it seems to work: it won’t appear on live sites, yet it will still report for localhost under /list/server/?web

Listen 127.0.0.1:8081
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1
</Location>
1 Like

Oh, nice catch, nearly made a mistake :smiley:. I’ll check the changes and probaly create a own status-conf file for the server status. Thanks for the report!

1 Like

Thanks for your quick reply, guys !

Have a nice day !

1 Like