Description
Exposing the Apache server-info page allows attackers to gather detailed information about the server configuration, installed modules, and other system-related details, aiding potential attacks.
Recommendation
To mitigate this risk, disable the server-info functionality in the Apache configuration file. Additionally, restrict access to the /server-info URL using appropriate access controls.
References
- Apache Module mod_info
- OWASP: Information Leakage
- Apache HTTP Server
- CWE-16
- CWE-200
- CAPEC-118
- OWASP 2021-A5