Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 09, 2016, 03:21:12 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Many sites are exposing their real-time server status /w client IPs and full URI  (Read 1074 times)

db90h

  • Coding Snacks Author
  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 481
  • Software Engineer
    • View Profile
    • Bitsum - Take control of your PC
    • Read more about this member.
    • Donate to Member
Source: http://thepileof.blo...-status-vfolder.html  (one of my misc blogs)



I describe this all on my blog. Basically, the default Apache configuration includes mod_status (a 'base' module, meaning statically linked by default), and many server admins don't bother securing it. This means all client IPs, and their server requests, are being revealed in real time to anyone who wants it.

The concerns are for cases where:

1. There is sensitive info on the query string
2. Security through obfuscation - uniquely named files and folders
3. Privacy concerns since these stats can be polled/refreshed and a pretty good database of activity from the server can be formed.

Apache sets a bad example, with both Apache.org and PHP.NET both being wide open. hXXp://php(dot)net/server-status or hXXp://apache(dot)org/server-status . Wired is even open, at least some of its servers. It depends on which one you hit since they are load balanced. It seems about half of them are 'open', the other half properly secured.

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: -5
  • Posts: 3,397
    • View Profile
    • Donate to Member
Mouser has this enabled in the very beginning of doco and I pointed it out to him. This is a common vulnerability left open by inexperienced apache admins.

db90h

  • Coding Snacks Author
  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 481
  • Software Engineer
    • View Profile
    • Bitsum - Take control of your PC
    • Read more about this member.
    • Donate to Member
Indeed, but would you believe Wired.com and WashingtonPost.com are vulnerable? That's insane. And I just checked a handful of sites off the top of my head. Again, Wired.com is load balanced, so only a percentage of its servers are affected (and it could even be fixed now).

Like I mention, Apache.org sets a terrible example, with their sites wide open. PHP.net, which I checked on today's 5.4.0 release of PHP, is also wide open and reveals they ironically are still running extremely old versions of Apache and PHP, lol.

What needs to happen is either an increase in user awareness, OR a change in defaults. One or the other, in my opinion.