Apache Tomcat /status Information Disclosure

medium Nessus Network Monitor Plugin ID 1462

Synopsis

The remote host may give an attacker information useful for future attacks.

Description

The remote host is running the Tomcat web server, with the /status special page set. By requesting this URI, an attacker may obtain information about the status of the remote host and may also be able to reset the statistics of the server.

Solution

If you do not use this feature, comment out the appropriate section in your httpd.conf file. If you really need it, limit access to the administrator's host.

Plugin Details

Severity: Medium

ID: 1462

Family: Web Servers

Published: 8/20/2004

Updated: 1/15/2016

Nessus ID: 11218

Vulnerability Information

CPE: cpe:/a:apache:tomcat