Hacker News new | comments | show | ask | jobs | submit login
Worrying php.net status page (visitors' IPs visible and more) (php.net)
42 points by c16 1828 days ago | hide | past | web | 21 comments | favorite

This is mod_status, one of the modules Apache ships with. Why is this worrying?

Here's the same thing for apache.og: http://www.apache.org/server-status

As a security hacker, I always enjoy when servers leak juicy tidbits like version numbers, PID numbers, timing information, load use, client/server IPs, configuration of the webserver's limits, vhosts served, URLs served, TLS stats....

It's a treasure trove.

I'd say it worrying that its open to the whole internet. Usually when I've used mod_status, its been password-protected.

We have looked at password-protecting it in the past, but it is useful for debugging and unless we SSL it the act of password-protecting with a simple basic auth would actually be more troubling than simply not because people get lazy with their passwords.

We never saw a concrete security reason for locking it down. If you are worried about people seeing your IP as you browse, then you need to take other steps because your IP is spread across web server log files all over the Internet and you have no control over who has access to those. I'd suggest using Tor if you find this worrying.

If you worked for the state of California (or an organization that has a policy to follow all CA government code even when it does not technically apply to them) then you have to consider an IP address a "network location" and must treat it as potentially personally identifying information. We only keep IP addresses for 30 days, and try to never share those IP addresses with third parties.

Security is all about trade-offs. When I've used mod_status, I've just used a simple username and password that everybody shared. I've also served it from a different URL than the "well-known" /server-status.

I realise that the IP addresses it shows are not on the order of credit card numbers, and its only the IP addresses at that particular instant (as opposed to historical data or something), but there is a difference between my IP address being logged in server logs and my IP address being visible to anyone who happens to visit a popular website at the same time as I do.

Edit: what I'm saying is, its very easy to keep this information invisible from the open internet. I can see no advantages and only potential problems leaving it open. Given that, it seems like the prudent thing to do is to close it off.

Exposing URLs doesn't seem appropriate.

1) It provides a plethora of information to potential hackers as they can see literally every incoming request and can find admin pages and such.

2) Exposes every visitor's IP and the URL they're visiting to everyone. If more sites did this people's browsing history day-to-day would be exposed.

Also as someone mentioned above, this is clearly a bad configuration issue -- this page is supposed to be password protected or IP restricted (to localhost by default in Apache). At the very least, the visitor IPs need to be masked.

1) Every piece of code on that box is open source. Security-through-obscurity hoping people won't find your admin pages is senseless.

2) There are far more effective ways of tracking users' browsing history than trying to scrape extremely ephemeral data like what you can find on the Apache status page. As someone mentioned, even the Apache project themselves leave this open.

He said IP restricted or password protected. That's not "security through obscurity".

And he is responding to the "finding admin pages or urls".

Actually, he said "admin pages and such".

There are some sites for which exposing visitor IPs might present problems. I don't think php.net is one of those sites though.

It would be fun to see what people who work at facebook are consulting the docs for.

Interestingly enough, php.net is using mod_ssl, but their ssl session cache isn't configured, and they are running a pre-1.0 version.

apache.org however is using openssl 1.0 and they have ssl session caching working. Clearly they know how to configure their apache servers ; ).

It isn't configured because we are not actually using SSL anywhere. We have been looking at it and when we do we will of course use the session cache.

Good old server-status, which is switched on an open to all in the default httpd.conf in Apache.

Taken alone this isn't much to worry about - it is unwanted information spillage. But it gives away enough information that could be useful as part of another attack.

Since it logs URLs being hit, it can show private URLs - such as those that depend on randomly generated tokens to access data (eg. photobucket photos) or to determine the structure of a backend admin app.

It can also expose sessions in apps that use tokens in URL query parameters where cookies are not allowed (ironically something that older versions of PHP did by default).

It is also useful in measuring the progress of a DoS attack, especially with slorloris[1].

All of the standard web security scanners check for this page, and rate the severity of the information leak as moderate. What is surprising here is that it hasn't been discovered earlier, considering how often large sites such as php.net would be scanned by such scanners.

That would suggest that this is a temporary configuration glitch, or something that they don't mind being publicly accessible due to the type of content hosted on php.net and the fact that it is mirrored by volunteers anyway.

It would be much more interesting if this happen to, say, Twitter. It did, and I wrote about it at the time (I got a bit carried away, cringe:


They closed it up quickly.

To disable it, remove all reference to mod_status[2] in your config:

    # LoadModule status_module libexec/apache2/mod_status.so
Also the related server_info[3] module:

    # LoadModule info_module libexec/apache2/mod_info.so
If you want to keep the status page, lock it down by IP (and change the default URL):

    <Location /_status>
        SetHandler server-status
        Order deny, allow
        Deny from all
        Allow from localhost your-host-or-ip.com
    </Location >
You can also add simple http auth just as you would in any other Location or Directory directive[4].

While you are at it, remove the server signature, which gives away a lot of information in terms of modules enabled and version numbers:

    ServerSignature Off
Same with extended status:

    ExtendedStatus On
In short, not that big a deal, but could be a big deal on certain websites and it is something that admins should check for and lock down if they are running apache.

[1] http://ha.ckers.org/slowloris/

[2] http://httpd.apache.org/docs/2.2/mod/mod_status.html

[3] http://httpd.apache.org/docs/2.2/mod/mod_info.html

[4] http://doc.norang.ca/apache-basic-auth.html

Please consider security through common sense. The shed where you store your lawn mower doesn't have the same security as your bank for a reason. This is as exciting as watching a traffic jam, oh no hide your license plates!

a fun google search: intitle:"Apache Status" inurl:"/server-status"

It's a PHP site. It's not supposed to be secure.

Please explain in what way that comment was beneficial to this discussion?

Beneficial? Hopefully it helps people remember that security in PHP installs (and the engine itself) is a complete joke and they'll either harden their stack or stop using it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact