Apache information is publicly accessible
Hi,
I found that if you go to your ipaddress/server-status, it will show you private information such as connections, IPs, uptime, OS version, apache version.
This is the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2014-0226
Even though the apache version running is greater than the one in the article, the feature mod_status is enabled. The solution is to either disable mod_status or ensure that access is limited to valid users / hosts. However, there is no way to modify the httpd.conf since it's a closed box. I am dealing with support, but they are not giving me a solution yet.
All of you guys have the same issue? Do you have a workaround?
3 Comments
[ + ] Show comments
-
I'd be interested in hearing the results from support. - ondrar 4 years ago
-
What version are you running? I just tried it on a 10.0 test box and could get to /server-status, but could not get to it on production 9.1 boxes. - ondrar 4 years ago
-
This issue is currently under investigation. We will update this post once this has been completed. - KevinG 4 years ago
Answers (1)
Please log in to answer
Posted by:
KevinG
4 years ago
We now have a fix that can be applied. Can you post your Support Ticket number for me.
