Apache server-status enabled

Impact: Medium

Description

Exposing the Apache server-status page allows attackers to gather detailed information about the server’s current state, facilitating potential attacks by revealing active connections, server uptime, and resource usage.

Recommendation

To mitigate this risk, disable the server-status functionality in the Apache configuration file. Additionally, restrict access to the /server-status URL using appropriate access controls.

References

Apache HTTP Server
Apache Module mod_status
CWE-16
CWE-200
OWASP 2021-A5
OWASP: Information Leakage

👉 You might also like:

Apache server-info enabled - Vulnerability

Apache Version Disclosure - Vulnerability

Nginx Version Disclosure - Vulnerability

Server Version Disclosure - Vulnerability

Last updated on May 13, 2024

Apache server-status enabled

Description

Recommendation

References

Use SmartScanner Free version to test for this issue