Description
Exposing the Apache server-info page allows attackers to gather detailed information about the server configuration, installed modules, and other system-related details, aiding potential attacks.
Recommendation
To mitigate this risk, disable the server-info
functionality in the Apache configuration file. Additionally, restrict access to the /server-info
URL using appropriate access controls.
References
- Apache Module mod_info
- OWASP: Information Leakage
- Apache HTTP Server
- CWE-16
- CWE-200
- CAPEC-118
- OWASP 2021-A5
Related Issues
- Apache server-status enabled - Vulnerability
- Apache Version Disclosure - Vulnerability
- Nginx Version Disclosure - Vulnerability
- Server Version Disclosure - Vulnerability
- Tags:
- Server Misconfiguration
- Information Disclosure
- Apache
Anything's wrong? Let us know Last updated on May 13, 2024