icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Apache Tomcat /status Information Disclosure

Medium

Synopsis

The remote host may give an attacker information useful for future attacks.

Description

The remote host is running the Tomcat web server, with the /status special page set. By requesting this URI, an attacker may obtain information about the status of the remote host and may also be able to reset the statistics of the server.

Solution

If you do not use this feature, comment out the appropriate section in your httpd.conf file. If you really need it, limit access to the administrator's host.