Here's the same thing for apache.og: http://www.apache.org/server-status
It's a treasure trove.
We never saw a concrete security reason for locking it down. If you are worried about people seeing your IP as you browse, then you need to take other steps because your IP is spread across web server log files all over the Internet and you have no control over who has access to those. I'd suggest using Tor if you find this worrying.
I realise that the IP addresses it shows are not on the order of credit card numbers, and its only the IP addresses at that particular instant (as opposed to historical data or something), but there is a difference between my IP address being logged in server logs and my IP address being visible to anyone who happens to visit a popular website at the same time as I do.
Edit: what I'm saying is, its very easy to keep this information invisible from the open internet. I can see no advantages and only potential problems leaving it open. Given that, it seems like the prudent thing to do is to close it off.
2) Exposes every visitor's IP and the URL they're visiting to everyone. If more sites did this people's browsing history day-to-day would be exposed.
Also as someone mentioned above, this is clearly a bad configuration issue -- this page is supposed to be password protected or IP restricted (to localhost by default in Apache). At the very least, the visitor IPs need to be masked.
2) There are far more effective ways of tracking users' browsing history than trying to scrape extremely ephemeral data like what you can find on the Apache status page. As someone mentioned, even the Apache project themselves leave this open.
Interestingly enough, php.net is using mod_ssl, but their ssl session cache isn't configured, and they are running a pre-1.0 version.
apache.org however is using openssl 1.0 and they have ssl session caching working. Clearly they know how to configure their apache servers ; ).
Taken alone this isn't much to worry about - it is unwanted information spillage. But it gives away enough information that could be useful as part of another attack.
Since it logs URLs being hit, it can show private URLs - such as those that depend on randomly generated tokens to access data (eg. photobucket photos) or to determine the structure of a backend admin app.
It can also expose sessions in apps that use tokens in URL query parameters where cookies are not allowed (ironically something that older versions of PHP did by default).
It is also useful in measuring the progress of a DoS attack, especially with slorloris.
All of the standard web security scanners check for this page, and rate the severity of the information leak as moderate. What is surprising here is that it hasn't been discovered earlier, considering how often large sites such as php.net would be scanned by such scanners.
That would suggest that this is a temporary configuration glitch, or something that they don't mind being publicly accessible due to the type of content hosted on php.net and the fact that it is mirrored by volunteers anyway.
It would be much more interesting if this happen to, say, Twitter. It did, and I wrote about it at the time (I got a bit carried away, cringe:
They closed it up quickly.
To disable it, remove all reference to mod_status in your config:
# LoadModule status_module libexec/apache2/mod_status.so
# LoadModule info_module libexec/apache2/mod_info.so
Order deny, allow
Deny from all
Allow from localhost your-host-or-ip.com
While you are at it, remove the server signature, which gives away a lot of information in terms of modules enabled and version numbers: