
Apache Server Status for ask.com - dewey
http://ask.com/server-status
======
hannob
Hi, just FYI, I found this, probably someone posted it because a colleague at
Golem.de wrote about it today after I told him:

[https://www.golem.de/news/datenschutz-ask-com-zeigt-auf-
apac...](https://www.golem.de/news/datenschutz-ask-com-zeigt-auf-apache-
statusseite-suchanfragen-an-1704-127182.html)

I tried to inform ask.com and my colleague tried again. No reaction.

~~~
trampi
Hah, I always suspected that authors of Golem.de are visiting HN.
Congratulations for your finding! It is sad that Ask.com did not react. I
thought that journalists would have a better chance to provoke responses.

------
xchip
My favourite: "q=letter+to+my+boyfriend+in+jail+talking+dirty&l=dir&q"

------
rubatuga
Wow, somebody is searching 3D dad baby incest. Good to know ....

~~~
milsorgen
Kink shaming? Is that a thing here?

~~~
DerpyDoodles
Hey, what if my kink is kink shaming?

------
prashnts
A surprisingly large amount of search queries are
"You+have+no+items+in+your+shopping+cart",
"Powered+by+Zen+Cart+%22Would+you+like+to+log",
"%22site+magento%22+inurl%3A%2Findex.php%2Fadmin",
"%22By+zen+cart%22++site%3A.de&" etc.

Seems like a bug in some shopping portal package, but it's still very weird.

~~~
mseebach
It looks like searches for signatures of known vulnerable web apps.

~~~
technion
I'm seeing tonnes of searches for revslider, so I would agree with this.

------
laurencei
So apart from the fact this should be there; how did someone find this in the
first place?

From my quick looking around - it seems that Apache has "/server-status" as a
module - so you could hit all domains via a bit and see if any have it turned
on?

~~~
hannob
well, yes. That's what I did.

------
RobAley
It seems you can go country specific as well, e.g.

[https://uk.ask.com/server-status](https://uk.ask.com/server-status)

------
superpope99
Is this page meant to be publicly accessible? Seems odd to me that they would
reveal what people are searching for in real time like this.

~~~
arjie
It's Apache mod_status. It's definitely accidental.

~~~
anc84
I would even call it negligent.

~~~
laumars
At least they have mod_info disabled. I've seen so many people accidentally
open both to the world.

------
yladiz
Although it doesn't _seem_ to have any identifiable info, it still seems like
way too much info to be publicly accessible. Not just the searches, but the
PIDs, the Apache version, etc. This seems like it should be behind a firewall
or only internally accessible.

------
elliottlan
Some of these searches are pretty funny...

There is a pretty high concentration of searches for serial numbers.

~~~
dknecht
I emailed their CIO to report issue.

------
campuscodi
[https://twitter.com/notsleepy/status/850335795261124608](https://twitter.com/notsleepy/status/850335795261124608)

------
oxguy3
Found the kid goofing off in the school computer lab:
/web?q=fun+games+that+are+not+blocked

In all seriousness, this is a disaster -- I'm sure there are already people
scraping this page to grab this data.

------
mdekkers
q=PAUL+GRAHAM+HAS+TITS HTTP/1.1

------
greens231
my fav: GET /web?q=Tom+Hanks+Thinks+His+Butt+Was+A+Beautiful+Thing+To+B

------
cnkk
my favorite: /web?q=recording+people+having+sex+audio&qo=pagination&qid=

