Description
Exposing the Apache server-status page allows attackers to gather detailed information about the server’s current state, facilitating potential attacks by revealing active connections, server uptime, and resource usage.
Recommendation
To mitigate this risk, disable the server-status functionality in the Apache configuration file. Additionally, restrict access to the /server-status URL using appropriate access controls.
References
- Apache Module mod_status
- OWASP: Information Leakage
- Apache HTTP Server
- CWE-16
- CWE-200
- CAPEC-118
- OWASP 2021-A1
- OWASP 2021-A5
Related Issues
- Apache Version Disclosure - Vulnerability
- Apache server-info enabled - Vulnerability
- Server Version Disclosure - Vulnerability
- Tomcat Version Disclosure - Vulnerability
- Tags:
- Server Misconfiguration
- Information Disclosure
- Apache
Anything's wrong? Let us know Last updated on May 13, 2024