Many servers on the web, including some BIG ONES, have their web stats wide open

Started by Jeremy Collake, March 02, 2012, 05:41:32 PM

Previous topic - Next topic

Jeremy Collake

See: http://thepileof.blogspot.com/2012/03/apaches-server-status-vfolder.html for the full story.

Here's a snippet:

While securing my own server, I noticed that some (many!?!) server admins that use default Apache HTTPD setups may not realize that their Apache server status is available to anyone at the public URL hxxp://example.com/server-status . Of course, replace example.com with your domain name.

I did some real quick tests on a couple other sites. Here are Wired.com and WashingtonPost.com. Note that Wired the 'www' sub-domain is mandatory (or was before they fixed it, for whatever reason - load balanced servers or a misconfiguration). WashingtonPost.com and Apache.org are still wide open, and God knows how many other sites, as I only tested a handful.

Here's a couple quick snapshots of The Washington Post and Wired.com. I have blurred out client IPs.

WASHINGTONPOST.COM:

WIRED.COM:
THIS IS ONLY THE FIRST PART OF PAGES AND PAGES OF INFORMATION, INCLUDING CLIENT IPs! 

Next, I tested Apache.org, seemed reasonable. To my surprise, IT was wide open too! Great example they are setting, lol.




Again, this is only the FIRST of MANY, MANY pages of information (as you can see), including IP addresses of ALL clients currently hitting the server. In all my screenshots I've omitted them, or blurred them out.


Why Care?


So clearly we have here a lot of public information that is could be useful to attackers, competitors, statistic collection agencies, and whoever else. A person could poll this page on an interval and get lots of information about your visitors, and what content they are visiting. In addition, 'sensitive' URLs that make the mistake of hoping for security through obscurity may be exposed to potential attackers, especially if they pass credentials on the query string. And, of course, at the most basic level, this status may allow a DDoS attacker to know what effect he or she is having, and what counter-measures you may have in place.

Let's recap. Imagine how many:
  1. Sites pass secure credentials on the query string via GET requests, under the *assumption* that nobody else is seeing the GET requests in REAL TIME.
  2. Sites that use security through obscurity, by using unique folder and file names.
  3. Privacy implications, given that this status can be continually refreshed to get lots of information about a server AND its visitors.
  4. Cases where additional information about the server can be helpful to attackers.
  5. Other theoretical concerns I can't imagine.
Those are the primary concerns, and they are big enough so that any responsible server admin would surely want to hide their service status from the general public.

Update: Appending different parameters  to the server-status URL provides information in other formats, and sometimes additional info (e.g. ?auto shows me mod_qos settings I don't see on the main status page of my server). See below link for full information.

What is this?


As with all things Apache, it is a module, mod_status.  Of course, almost every ancillary feature in Apache is implemented as a module, either statically or dynamically linked. Most every Apache configuration will have it installed, though as we see, not all have it properly secured! It is configured by default to be built into Apache, as part of the 'base' modules.


How many servers are vulnerable?


Given that this is an Apache default, and Apache.org proudly has their stats wide open, I'd say that it is probably a fairly common mistake due to the lack of awareness, and based on the handful of quick tests I did. I have not scanned a bunch of sites, nor will I. I just tested a handful off the top of my head. Could I have just happened to hit vulnerable ones? Perhaps, but it seems unlikely. 


How to protect your server-status


The fix is pretty simple, as with everything Apache. Assuming you want these stats on, here's your best bet. You simply need to add to your .htaccess, httpd.conf, or management software HTTPD includes lines something along the lines of:
# lock down server-status

<Location /server-status>
 SetHandler server-status
 Order deny,allow
 Deny from all
 Allow from localhost 127.0.0.1
 Allow from someplace.whereiam.example.com
</Location>
The docs themselves actually recommend this, but it seems few have paid attention, or have implemented it correctly in hosted site default configurations. The ideal fix is to have mod_status not expose this page to non-localhost clients unless expressly specified.

So, check your server, make sure your stats are secure! If Wired.com isn't, there has to be lots more. It seems that most are secure, thankfully. However, there are PLENTY that are wide open. 


UPDATE: Also check /server-info and (if using cPanel/WHM) /whm-server-status . The former may be wide open on some sites, and provides complete server information. Still, /server-status seems to be the one that is most ignored in the security configuration of sites around the web.

UPDATE2: As a new version of PHP was released, I checked their site and it is wide open too (PHP.NET). hXXp://www.php(dot)net/server-status

Software Engineer. Bitsum LLC.

Jeremy Collake

I've been 'screaming' about this for the last day, trying to get someone to notice, so that a general advisory can be sent to ALL server admins to check their configuration -- as CLEARLY a lot of vulnerable servers exist, if my small test is any indication. I've recreated the post at G+: https://plus.google.com/110469164034872408057/posts/ER9y6Ubpz8d

I encourage everyone to spread the word, organically. Make sure your favorite servers are secure, and make sure you have the privacy we all assumed always existed!
Software Engineer. Bitsum LLC.

Miroku4444

No wonder so many sites get attacked so often. People need to hire better IT people when they set their sites up.

Jeremy Collake

Quote from: Miroku4444 on March 02, 2012, 10:04:08 PM
No wonder so many sites get attacked so often. People need to hire better IT people when they set their sites up.

No kidding, this may be Anonymous's secret weapon ;p. I was *shocked* to find so many big sites wide open in my handful of tests.
Software Engineer. Bitsum LLC.

Miroku4444

Quote from: bitsum.support on March 02, 2012, 10:20:52 PM
Quote from: Miroku4444 on March 02, 2012, 10:04:08 PM
No wonder so many sites get attacked so often. People need to hire better IT people when they set their sites up.

No kidding, this may be Anonymous's secret weapon ;p. I was *shocked* to find so many big sites wide open in my handful of tests.

I guess they think nothing will ever happen, thats when it usually does.


I guess we dont have to worry about that from Bitsum??  :)

Jeremy Collake

Quote from: Miroku4444 on March 03, 2012, 02:06:02 AM
[ guess we dont have to worry about that from Bitsum??  :)

Well, I have this, and as much as I can locked down, that's for sure ;). I try to do better than the average joe, and better than many much larger companies it seems. Not that I'm unhackable, only a fool would make that claim. However, I am *very* security conscious, which gives me a lot better chance than all those who give it only half a passing thought.
Software Engineer. Bitsum LLC.

Jeremy Collake

I restored this topic, after having doubts as to whether I should post misc things like this. I am still *very* disturbed by the lack of concern by web admins and the general security crowd. Perhaps they just aren't aware yet. Meanwhile, I noticed PHP was updated today, and of course, being an Apache foundation project, their server is wide open too .. hXXp://php.net/server-status . Funny thing is that they are running an extremely old version of both Apache and PHP, lol. At least Apache is running their latest beta code.

Unrelated: Today GITHub was hacked. The person who did it *tried* to report the problem. He created a ticket, but they closed it. He re-opened it. Repeat process a few times. Finally, he just 'did it' to get someone's attention ;p. That's almost the way I feel. It's amazing how defensive people get about such things. No server admin will thank you for pointing out a security flaw, for instance.
Software Engineer. Bitsum LLC.