Description
Exposing the Apache server-status page allows attackers to gather detailed information about the server’s current state, facilitating potential attacks by revealing active connections, server uptime, and resource usage.
Recommendation
To mitigate this risk, disable the server-status functionality in the Apache configuration file. Additionally, restrict access to the /server-status URL using appropriate access controls.
References
- Apache Module mod_status
- OWASP: Information Leakage
- Apache HTTP Server
- CWE-16
- CWE-200
- CAPEC-118
- OWASP 2021-A5