/build/static/layout/Breadcrumb_cap_w.png

Apache information is publicly accessible

Hi,

I found that if you go to your ipaddress/server-status, it will show you private information such as connections, IPs, uptime, OS version, apache version.

This is the vulnerability https://nvd.nist.gov/vuln/detail/CVE-2014-0226

Even though the apache version running is greater than the one in the article, the feature mod_status is enabled. The solution is to either disable mod_status or ensure that access is limited to valid users / hosts. However, there is no way to modify the httpd.conf since it's a closed box. I am dealing with support, but they are not giving me a solution yet.

All of you guys have the same issue? Do you have a workaround?



3 Comments   [ + ] Show comments
  • I'd be interested in hearing the results from support. - ondrar 1 year ago
  • What version are you running? I just tried it on a 10.0 test box and could get to /server-status, but could not get to it on production 9.1 boxes. - ondrar 1 year ago
  • This issue is currently under investigation. We will update this post once this has been completed. - KevinG 1 year ago

Answers (1)

Posted by: KevinG 1 year ago
8th Degree Black Belt
0

We now have a fix that can be applied. Can you post your Support Ticket number for me.


Comments:
  • What was the fix? We are showing the same Vulnerability after updating to Ver.10. - abeckloff 1 year ago
    • Contact support and they can tether in and apply the fix. It will drop all connections at the time, but the whole process takes like 10 seconds. - ondrar 1 year ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ