Maybe it's a DNS entry or network addresses that would have been secret if not for it appearing in server-status (there's a reason AXFR from random internet clients is a bad idea). Maybe it's a client IP that accesses an admin panel, and attacking that client machine will give you the keys to the kingdom. Maybe it's a PID that's guessable and gives an insight to what a new temporary file or directory will be called, exposing a race condition. Maybe it's the very precise time information to be used for making timing attacks easier. Maybe it's the number of workers configured that lets them tune an attack to fill up resources. Maybe it's the system utilization to help them figure out if they should attack CPU, memory or i/o. Perhaps it's the server version and OS telling them what software is running and thus what exploits they should pick first.
Or maybe it's the fact that the requests can be linked to client IPs to build a profile on specific users, violating their privacy.
Whatever the reason, it's stupid to keep this information public.
You're right on the GET requests.. :) ..
Any attacker, pentesters, worth their salt would be able to garner some good info from this.
See reference to vulnerable soft in the post published.
Previous discussion: http://news.ycombinator.com/item?id=4661625
Yeah, not sure I'd agree with it not being a big deal. Especially with the type of recon you can do on this information as an attacker.
sudo a2dismod status
(Note these links go to Apache server-status pages at the time of linking. This may change if the server admins wise up - to be on the safe side consider them NSFW):
..... and many more .....
Deny from all
Allow from 10.0.0.0/24
(where 10.0.0.0 is your local network range) will prevent external requests. This is mentioned in the linked through Apache documentation.
Additionally, mod_info is enabled, which lets you read nearly the entire running configuration:
Yes, it's potentially an issue.
For example, nba.com has been averaging about 3 connections and 1021 idle workers while I've been watching it. That's perhaps less traffic than you might expect? I don't know, but if I were paying for ad space I might be interested.
AOL deidentifed search data still allowed some people to be identified. When name is tied to some medical condition related search terms, it gets embarrassing...
Yesterday it was returning IP address list with associated medical condition of interest...
I can see how it can end up being enabled and left open, but it is also that level of administration that opens you up to other more concerning issues, this is a concerning issue for many reasons. If you had a firewall that blocked off by default not exprecitly allowed(with good wildcarding when needed on sub directory's) remote access to everything not the main public site then that would of caught it. If you had a access control , that again would of controled it.
Only way some companies will learn is to be hacked or being done under the laws for leaking private data. So if you go onto a sight like that, tell there admin they are in breach of the applicable data protection/privacy laws you have that can cover such things. Then if they don't fix it, cash in on there stupidity and sue them, you get paid for your time and they pay for there crime and learn the only way some do learn. Don't hack them, no need, just use the law. Or get a patent on bad administration and use that to claim back royalties. Crazy approach, but if you have the money to cater for such whims, let us all know how it pans out, profitable and educational for the patent system. Who would contest and claim prior art on stupidity of administrating computers, you would get your money worth in laughs if nothing else.
Short version, this is a old issue and you are also breaking data protection/privacy laws - be warned. If you see it, warn them and feel free to educate them via the legal cashmachine.
Some sample Google queries for the curious:
intitle:"apache status" inurl:server-status
inurl:web-console/ "jboss Management Console"
It is not a best practice, but some companies do and it makes easier for those to be found.
Can't believe there are admins at this level that miss this.
Just because a company is a big name doesn't mean it attracts big talent. Disney is still fishing from the same ocean where all the best engineers went to sexier places.
Also, I think I don't get paid enough.