
Popular sites with Apache server-status enabled (leaking internal details) - davedd
http://blog.sucuri.net/2012/10/popular-sites-with-apache-server-status-enabled.html
======
jd
To those who think it isn't a big deal: when GET requests are made public you
can snoop "password reset links" and similar to to get access to somebody
else's account. Even when developers use best practices GET request paths can
leak sensitive information.

~~~
perezbox
Hi JD

You're right on the GET requests.. :) ..

Any attacker, pentesters, worth their salt would be able to garner some good
info from this.

See reference to vulnerable soft in the post published.

Cheers.

~~~
alanctgardner2
I think you might mean 'garner'? Just a heads up

~~~
perezbox
Thanks for the heads up. Updated.

------
nthitz
Site is down for me, but I thought we agreed last time this was on HN it
wasn't really that big of a deal..

Previous discussion: <http://news.ycombinator.com/item?id=4661625>

~~~
perezbox
Thanks for the update withe link.

Yeah, not sure I'd agree with it not being a big deal. Especially with the
type of recon you can do on this information as an attacker.

TP

------
marcuspovey
You've got to watch this... Apache typically limits this to localhost, but if
you use squid as a reverse proxy (quite common) then you can see this easily
being exposed since all requests will appear to come from the local machine.

~~~
ludwigvan
Similarly, if you are using nginx in front of apache, watch out.

------
pygorex
Even a cursory scan of the <http://urlfind.org/?server-status> list reveals
scads of porn sites exposing their visitor's IP addresses:

(Note these links go to Apache server-status pages at the time of linking.
This may change if the server admins wise up - to be on the safe side consider
them NSFW):

    
    
      http://black-tgirls.com/server-status
      http://badexgfs.com/server-status
      http://tubepornx.com/server-status
      http://lesbianvalley.net/server-status
      ..... and many more .....
    

Personally, I don't care what consenting adults do with their genitals. But I
think it's safe to assume that the visitors to these sites expect a certain
level of privacy that's not being met.

------
wzm
This can also lead to DOS issues, as I understand it, the Apache server-status
pages are very computationally intensive to produce, and it requires stopping
and polling every child.

Something like

<Location /server-status>

    
    
        SetHandler server-status
    
        Order Deny,Allow
    
        Deny from all
    
        Allow from 10.0.0.0/24
    

</Location>

(where 10.0.0.0 is your local network range) will prevent external requests.
This is mentioned in the linked through Apache documentation.

~~~
taejo
According to other commenters, this is only enabled for localhost by default,
but if one is using a reverse proxy on localhost, all requests will appear to
come from there. So be careful with this approach.

------
pjscott
It's also entertaining to google around for nagios dashboards open to the
public, e.g.

[https://www.google.com/search?q=%22View+Host+Status+Detail%2...](https://www.google.com/search?q=%22View+Host+Status+Detail%22)

~~~
jorts
Awesome. Tangentially, I use Nagios to verify that outside access to all my
hosts (including HTTP) is restricted to my IP space.

------
MasterScrat
Aren't the exposed client IPs at <http://php.net/server-status/> a pretty big
deal??

~~~
notatoad
Why is that a big deal? Is exposing the public IPs of some random people
really an issue?

~~~
pjscott
<http://furry-incest-porn.xxx/server-status/>

Yes, it's potentially an issue.

~~~
notatoad
Sure, for a skeezy site. The parent was talking specifically about php.org, I
can't imagine any real risk for a site like that exposing their visitor ip
log.

------
fmd
<http://insecure.org/stc/> (e.g. Information Leakage at the Packet Level) +
staples.com/server-status page = legal profit?

------
Zenst
Back around 13 years ago I believe the default to have it enabled was changed.
That said alot of sites carrier on leaking that way, ft.com was one - even
after it was pointed out to them. Eventualy they changed things when I
mentioned it to IBM rep who also dealt with FT's account, nice rep.

I can see how it can end up being enabled and left open, but it is also that
level of administration that opens you up to other more concerning issues,
this is a concerning issue for many reasons. If you had a firewall that
blocked off by default not exprecitly allowed(with good wildcarding when
needed on sub directory's) remote access to everything not the main public
site then that would of caught it. If you had a access control , that again
would of controled it.

Only way some companies will learn is to be hacked or being done under the
laws for leaking private data. So if you go onto a sight like that, tell there
admin they are in breach of the applicable data protection/privacy laws you
have that can cover such things. Then if they don't fix it, cash in on there
stupidity and sue them, you get paid for your time and they pay for there
crime and learn the only way some do learn. Don't hack them, no need, just use
the law. Or get a patent on bad administration and use that to claim back
royalties. Crazy approach, but if you have the money to cater for such whims,
let us all know how it pans out, profitable and educational for the patent
system. Who would contest and claim prior art on stupidity of administrating
computers, you would get your money worth in laughs if nothing else.

Short version, this is a old issue and you are also breaking data
protection/privacy laws - be warned. If you see it, warn them and feel free to
educate them via the legal cashmachine.

------
JoblessWonder
I found another way to search for a similar status page when trolling for
network traffic.

Some sample Google queries for the curious:

    
    
         intitle:"apache status" inurl:server-status
         inurl:web-console/ "jboss Management Console"
    

Edited to add more:

    
    
         inurl:"/status?full=true"

------
davedd
Another issue we identified is that you can find those "hidden" admin panel or
URLs that shouldn't be known to the outside, by just refreshing the page a few
times and checking all requests.

It is not a best practice, but some companies do and it makes easier for those
to be found.

thanks,

------
lazyjones
ouch, sh*t happens when you have it on for 10.0.0.0/24 or so and then set up
Varnish in front of it...

------
code_duck
Sweet, I'm interested in checking out all their configs!

------
perezbox
This is a classic case of bad security posture by larger enterprises.

------
brh_jr
Someone from tweetdeek frequents this site, because it is fixed there. I am
just interested in how busy this sites are. From my quick views Ford and
Staples were the busiest.

------
SnaKeZ
Another report: /server-status/?notable

Example:

<http://apache.org/server-status/?notable>

------
jpswade
<http://apache.org/server-status>

------
tankbot
Looks like Disney fixed theirs.

Can't believe there are admins at this level that miss this.

~~~
jemfinch
Why do you think Disney has access to high quality admins? Do you know high
quality sysadmins who want to work for Disney, or companies like it?

Just because a company is a big name doesn't mean it attracts big talent.
Disney is still fishing from the same ocean where all the best engineers went
to sexier places.

~~~
tankbot
My comment was really 2 separate statements, I don't necessarily think Disney
has a 'rock star' admin(s). But you make a valid point.

Also, I think I don't get paid enough.

------
alexfoobar
latimes has 10.146.78.21 GET:ing /server-status?auto... their nagios IP maybe?

------
davedd
Site is back up.

