Many sites are exposing their real-time server status /w client IPs and full URI

[db90h]

Source: http://thepileof.blo...-status-vfolder.html  (one of my misc blogs)



I describe this all on my blog. Basically, the default Apache configuration includes mod_status (a 'base' module, meaning statically linked by default), and many server admins don't bother securing it. This means all client IPs, and their server requests, are being revealed in real time to anyone who wants it.

The concerns are for cases where:

1. There is sensitive info on the query string
2. Security through obfuscation - uniquely named files and folders
3. Privacy concerns since these stats can be polled/refreshed and a pretty good database of activity from the server can be formed.

Apache sets a bad example, with both Apache.org and PHP.NET both being wide open. hXXp://php(dot)net/server-status or hXXp://apache(dot)org/server-status . Wired is even open, at least some of its servers. It depends on which one you hit since they are load balanced. It seems about half of them are 'open', the other half properly secured.

[Josh]

Mouser has this enabled in the very beginning of doco and I pointed it out to him. This is a common vulnerability left open by inexperienced apache admins.

[db90h]

Indeed, but would you believe Wired.com and WashingtonPost.com are vulnerable? That's insane. And I just checked a handful of sites off the top of my head. Again, Wired.com is load balanced, so only a percentage of its servers are affected (and it could even be fixed now).

Like I mention, Apache.org sets a terrible example, with their sites wide open. PHP.net, which I checked on today's 5.4.0 release of PHP, is also wide open and reveals they ironically are still running extremely old versions of Apache and PHP, lol.

What needs to happen is either an increase in user awareness, OR a change in defaults. One or the other, in my opinion.