Researchers found Apache Server-Status Enabled on some popular site like php.net , cisco, nba.com, Cloudflare, Metacafe, Ford, yellow.com, and others.
For backgorund, there is a Module mod_status in Apache server which allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form.
Basically, mod_status provides information on your apache server activity and performance. The main security risk of using this module is only Information disclosure which includes infomation such as Server uptime, Individual request-response statistics and CPU usage of the working processes, Current HTTP requests, client IP addresses, requested paths, processed virtual hosts. , that could give a potential attacker information about how to attack the web server.
Few popular brands showing their status online, discovered by Daniel Cid from Sucuri:
- https://cloudflare.com/server-status/ (Fixed now)
- https://disney.go.com/server-status (Fixed now)
- https://tweetdeck.com/server-status/ (Fixed now)
Solution, Don't allow Apache Server mod_status Publicly Accessible and for that administrator need to just do few changes in the configuration file of apache (httpd.conf). Additionally it is recommended to comment out the
section from Apache configuration file httpd.conf.