This information doesn’t matter, right?

A surprisingly large number of major websites are (or in some cases were) displaying sensitive server information to anybody, as discovered by the security team at Sucuri.

See their blog post here.

So, the Apache web server has a useful tool that reports some basic statistics of the server and displays the most recent connections. Is it really that bad for this information to be public?

Yes. Yes, it is.

While it’s not a security hole that would allow an attack to immediately gain control of your web server, it is giving ammunition to a future attacker.

If they know what operating system and Apache version you are running, they can look up known exploits for that specific combination. Scanning the recent connection list will show them IP addresses that are connecting, and what resources they are requesting. This exposes the internal structure of your web site, which may be obscured when accessed normally.
Additionally, you could theoretically have an administration page which is restricted to a handful of IP addresses. By scanning the server-status page, an attacker could see a successful connection to that administration page and learn which IP addresses are allowed. Then it’s a fairly simple matter to spoof their IP address and own your server.

Additionally, it’s just a simple Google search for an attacker who is looking for any site that has this information displayed.

inurl:"server-status" AND intext:"Apache Server Status for"

That search will be predominantly populated with sites that are showing this data. Some of them may be doing so purposefully (apache.org shows its own stats), but many of them are probably giving away information that should be held more closely.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s