
Worrying php.net status page (visitors' IPs visible and more) - c16
http://php.net/server-status
======
dangrossman
This is mod_status, one of the modules Apache ships with. Why is this
worrying?

Here's the same thing for apache.og: <http://www.apache.org/server-status>

~~~
codeka
I'd say it worrying that its open to the whole internet. Usually when I've
used mod_status, its been password-protected.

~~~
rll
We have looked at password-protecting it in the past, but it is useful for
debugging and unless we SSL it the act of password-protecting with a simple
basic auth would actually be more troubling than simply not because people get
lazy with their passwords.

We never saw a concrete security reason for locking it down. If you are
worried about people seeing your IP as you browse, then you need to take other
steps because your IP is spread across web server log files all over the
Internet and you have no control over who has access to those. I'd suggest
using Tor if you find this worrying.

~~~
tingletech
If you worked for the state of California (or an organization that has a
policy to follow all CA government code even when it does not technically
apply to them) then you have to consider an IP address a "network location"
and must treat it as potentially personally identifying information. We only
keep IP addresses for 30 days, and try to never share those IP addresses with
third parties.

------
krapp
There are some sites for which exposing visitor IPs might present problems. I
don't think php.net is one of those sites though.

------
shanemhansen
It would be fun to see what people who work at facebook are consulting the
docs for.

Interestingly enough, php.net is using mod_ssl, but their ssl session cache
isn't configured, and they are running a pre-1.0 version.

apache.org however is using openssl 1.0 and they have ssl session caching
working. Clearly they know how to configure their apache servers ; ).

~~~
rll
It isn't configured because we are not actually using SSL anywhere. We have
been looking at it and when we do we will of course use the session cache.

------
nikcub
Good old server-status, which is switched on an open to all in the default
httpd.conf in Apache.

Taken alone this isn't much to worry about - it is unwanted information
spillage. But it gives away enough information that could be useful as part of
another attack.

Since it logs URLs being hit, it can show private URLs - such as those that
depend on randomly generated tokens to access data (eg. photobucket photos) or
to determine the structure of a backend admin app.

It can also expose sessions in apps that use tokens in URL query parameters
where cookies are not allowed (ironically something that older versions of PHP
did by default).

It is also useful in measuring the progress of a DoS attack, especially with
slorloris[1].

All of the standard web security scanners check for this page, and rate the
severity of the information leak as moderate. What is surprising here is that
it hasn't been discovered earlier, considering how often large sites such as
php.net would be scanned by such scanners.

That would suggest that this is a temporary configuration glitch, or something
that they don't mind being publicly accessible due to the type of content
hosted on php.net and the fact that it is mirrored by volunteers anyway.

It would be much more interesting if this happen to, say, Twitter. It did, and
I wrote about it at the time (I got a bit carried away, _cringe_ :

[http://techcrunch.com/2009/10/21/twitter-you-say-
transperanc...](http://techcrunch.com/2009/10/21/twitter-you-say-transperancy-
i-say-vulnerability/)

They closed it up quickly.

To disable it, remove all reference to mod_status[2] in your config:

    
    
        # LoadModule status_module libexec/apache2/mod_status.so
    

Also the related server_info[3] module:

    
    
        # LoadModule info_module libexec/apache2/mod_info.so
    

If you want to keep the status page, lock it down by IP (and change the
default URL):

    
    
        <Location /_status>
            SetHandler server-status
            Order deny, allow
            Deny from all
            Allow from localhost your-host-or-ip.com
        </Location >
    

You can also add simple http auth just as you would in any other Location or
Directory directive[4].

While you are at it, remove the server signature, which gives away a lot of
information in terms of modules enabled and version numbers:

    
    
        ServerSignature Off
    

Same with extended status:

    
    
        ExtendedStatus On
     

In short, not that big a deal, but could be a big deal on certain websites and
it is something that admins should check for and lock down if they are running
apache.

[1] <http://ha.ckers.org/slowloris/>

[2] <http://httpd.apache.org/docs/2.2/mod/mod_status.html>

[3] <http://httpd.apache.org/docs/2.2/mod/mod_info.html>

[4] <http://doc.norang.ca/apache-basic-auth.html>

------
wyck
Please consider security through common sense. The shed where you store your
lawn mower doesn't have the same security as your bank for a reason. This is
as exciting as watching a traffic jam, oh no hide your license plates!

------
adkatrit
a fun google search: intitle:"Apache Status" inurl:"/server-status"

------
peterwwillis
It's a PHP site. It's not supposed to be secure.

~~~
c16
Please explain in what way that comment was beneficial to this discussion?

~~~
peterwwillis
Beneficial? Hopefully it helps people remember that security in PHP installs
(and the engine itself) is a complete joke and they'll either harden their
stack or stop using it.

