Apache mod_status /server-status Information Disclosure

medium Web Application Scanning Plugin ID 98225

Synopsis

Apache mod_status /server-status Information Disclosure

Description

It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the URL '/server-status'. This overview includes information such as current hosts and requests being processed, the number of workers idle and service requests, and CPU utilization.

Solution

If required, update Apache's configuration file(s) to either disable mod_status or ensure that access is limited to valid users / hosts.

See Also

https://httpd.apache.org/docs/current/mod/mod_status.html

Plugin Details

Severity: Medium

ID: 98225

Type: remote

Published: 6/2/2018

Updated: 6/2/2018

Scan Template: api, scan, pci

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

Exploit Available: true

Vulnerability Publication Date: 1/1/1999

Reference Information