/build/static/layout/Breadcrumb_cap_w.png
10/02/2019 145 views

Hi,

I found that if you go to your ipaddress/server-status, it will show you private information such as connections, IPs, uptime, OS version, apache version.

This is the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2014-0226

Even though the apache version running is greater than the one in the article, the feature mod_status is enabled. The solution is to either disable mod_status or ensure that access is limited to valid users / hosts. However, there is no way to modify the httpd.conf since it's a closed box. I am dealing with support, but they are not giving me a solution yet.

All of you guys have the same issue? Do you have a workaround?


3 Comments   [ + ] Show comments

Comments

  • I'd be interested in hearing the results from support.
  • What version are you running? I just tried it on a 10.0 test box and could get to /server-status, but could not get to it on production 9.1 boxes.
  • This issue is currently under investigation. We will update this post once this has been completed.

All Answers

0

We now have a fix that can be applied. Can you post your Support Ticket number for me.

Answered 10/08/2019 by: KevinG
Second Degree Green Belt

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share