Default Apache Configuration Can Unmask Tor Hidden Services
Attention Tor Onion Hosters!

A year old loophole in Apache Web Server, uncovered by an unknown Computer Science Student, could potentially unmask the real identity of .onion-domains and servers hidden behind the Tor-network.

Although the loophole was reported on Reddit and to the Tor Project months back, it recently came to the limelight soon after a tweet by Alec Muffet, a well-known security enthusiast and current software engineer at Facebook.

What is Tor Hidden (.onion) Service? Dark Web websites (generally known as 'onion services') with a special domain name that ends with .onion, are called Tor Hidden Service and reachable only via the Tor network.

Tor Hidden Service is a widely popular anonymity network used by Whistleblowers, Underground Markets, Defense Networks and more in order to maintain secrecy over the Internet.

An Onion Website can be hosted on the top of any web servers. But, if you are choosing Apache, then you need to rethink.

Apache Misconfiguration Exposes Tor Hidden Servers

According to the report, most distributions of Apache Server ship with mod_status module, enabled by default, which could disclose the real identity of the .onion domains, placing the Onion Servers at risk of being identified.

Apache's mod_status module helps server administrators to monitor the health of web server with an HTML interface and is accessible via a web browser on its localhost only.

The Output of this module would be available on every server when accessing the URL:

However, running mod_status module with Tor hidden service may result in exposing 'server-status' page to the world via Tor daemon service.

This page would spit the sensitive backend data like server's settings, uptime, resource usage, total traffic, virtual hosts, and active HTTP requests if enabled by default which is enough to figure out the Server location.
"What could a malicious actor do in that case? They could spy on potentially sensitive requests," reads the blog post regarding the issue. "They could deduce the server's approximate longitude if the timezone is set. They could even determine its IP address if a clearnet Virtual Host is present."

How to Disable mod_status on Apache

Now, if you run a .onion domain on top of any Apache Server, then make sure that the mod_status is disabled.

For this, you may need to run this code in shell command:-
sudo ap2dismod status
  • "ap2" stands for Apache 2.x
  • "dis" stands for disable
  • "mod" stands for module
Soon after this, if you reload, then you would be prompted by a 403 or 404 Error Prompt. The Error message would ensure that you are no longer vulnerable to that Risk.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.