WA00510 W22 - Web server status module must be disabled.


The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module provides current server performance statistics. While having server configuration and status information available as a web page may be convenient, it is recommended that these modules not be enabled: Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc. If mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess) and may have security-related ramifications.


Disable info and status modules by adding a '#' in front of them within the httpd.conf file, and restarting the Apache service.

See Also


Item Details


References: 800-53|AC-6(10), CAT|II, Rule-ID|SV-33171r2_rule, STIG-ID|WA00510_W22, Vuln-ID|V-26294

Plugin: Windows

Control ID: 203e14291b84c4d01e89f76298545f8c62e9f3a2fd8a0b0d2b3e745746c52e48