Good old server-status, which is switched on an open to all in the default httpd.conf in Apache.
Taken alone this isn't much to worry about - it is unwanted information spillage. But it gives away enough information that could be useful as part of another attack.
Since it logs URLs being hit, it can show private URLs - such as those that depend on randomly generated tokens to access data (eg. photobucket photos) or to determine the structure of a backend admin app.
It can also expose sessions in apps that use tokens in URL query parameters where cookies are not allowed (ironically something that older versions of PHP did by default).
It is also useful in measuring the progress of a DoS attack, especially with slorloris.
All of the standard web security scanners check for this page, and rate the severity of the information leak as moderate. What is surprising here is that it hasn't been discovered earlier, considering how often large sites such as php.net would be scanned by such scanners.
That would suggest that this is a temporary configuration glitch, or something that they don't mind being publicly accessible due to the type of content hosted on php.net and the fact that it is mirrored by volunteers anyway.
It would be much more interesting if this happen to, say, Twitter. It did, and I wrote about it at the time (I got a bit carried away, cringe:
We have looked at password-protecting it in the past, but it is useful for debugging and unless we SSL it the act of password-protecting with a simple basic auth would actually be more troubling than simply not because people get lazy with their passwords.
We never saw a concrete security reason for locking it down. If you are worried about people seeing your IP as you browse, then you need to take other steps because your IP is spread across web server log files all over the Internet and you have no control over who has access to those. I'd suggest using Tor if you find this worrying.
If you worked for the state of California (or an organization that has a policy to follow all CA government code even when it does not technically apply to them) then you have to consider an IP address a "network location" and must treat it as potentially personally identifying information. We only keep IP addresses for 30 days, and try to never share those IP addresses with third parties.
Security is all about trade-offs. When I've used mod_status, I've just used a simple username and password that everybody shared. I've also served it from a different URL than the "well-known" /server-status.
I realise that the IP addresses it shows are not on the order of credit card numbers, and its only the IP addresses at that particular instant (as opposed to historical data or something), but there is a difference between my IP address being logged in server logs and my IP address being visible to anyone who happens to visit a popular website at the same time as I do.
Edit: what I'm saying is, its very easy to keep this information invisible from the open internet. I can see no advantages and only potential problems leaving it open. Given that, it seems like the prudent thing to do is to close it off.
1) It provides a plethora of information to potential hackers as they can see literally every incoming request and can find admin pages and such.
2) Exposes every visitor's IP and the URL they're visiting to everyone. If more sites did this people's browsing history day-to-day would be exposed.
Also as someone mentioned above, this is clearly a bad configuration issue -- this page is supposed to be password protected or IP restricted (to localhost by default in Apache). At the very least, the visitor IPs need to be masked.
1) Every piece of code on that box is open source. Security-through-obscurity hoping people won't find your admin pages is senseless.
2) There are far more effective ways of tracking users' browsing history than trying to scrape extremely ephemeral data like what you can find on the Apache status page. As someone mentioned, even the Apache project themselves leave this open.
As a security hacker, I always enjoy when servers leak juicy tidbits like version numbers, PID numbers, timing information, load use, client/server IPs, configuration of the webserver's limits, vhosts served, URLs served, TLS stats....
Please consider security through common sense. The shed where you store your lawn mower doesn't have the same security as your bank for a reason. This is as exciting as watching a traffic jam, oh no hide your license plates!