If you are an administrator or webmaster of an internet facing website, it becomes mandatory for you to keep your website safe and secure from seen \ unforeseen threats.
Many a time your organization's security team or the PCI compliance team scans your webserver to check the robustness and security of your server.
In my today's post , we will discuss :
In my today's post , we will discuss :
How to Remediate Server_Info and Server_Status vulnerabilities on Apache HTTP Server.
When you get the vulnerability scan report for your Apache HTTP server , the above mentioned vulnerabilities may be listed like following :
- Apache mod_info /server-info Information Disclosure Vulnerability - Apache mod_info is a module package in Apache which provides a comprehensive overview of the server configuration.
- Apache /server-info Information Disclosure - An information disclosure vulnerability in the Apache Web server allows attackers to view system configuration data.
- Apache /server-status Information Disclosure - An information disclosure vulnerability in the Apache Web server allows attackers to view sensitive configuration data on the targeted host.
If they find any vulnerability on your webserver they come up with the vulnerability \ threat report and you are asked to remediate \ mitigate these vulnerabilities as soon as possible.
/Server_Info & /Server_Status are two important tags in Apache HTTP server which are used by the Webmasters, or Web Server Administrators to check the status and details of the server, But both of these pages can be exploited by attackers out there with malign intentions. So it becomes imperative for the administrator to either disable these 2 pages or restrict there access.
/Server_Info & /Server_Status are two important tags in Apache HTTP server which are used by the Webmasters, or Web Server Administrators to check the status and details of the server, But both of these pages can be exploited by attackers out there with malign intentions. So it becomes imperative for the administrator to either disable these 2 pages or restrict there access.
In an ideal situation , Server_Info and Server_Status pages should only be accessible locally from the web server but not from the out side of the server.
Solution:
To restrict the access of /server_info & /Server_Status pages only to locally :
- Log on to the server where Apache is installed.
- Go to Apache installation directory
- Navigate to Conf folder
- Take a backup of httpd.conf file
- Now Edit the http.conf file and update following 2 sections as given below:
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
These settings will enable Apache Http Server to display the /server_info & /Server_status pages only when they are accessed locally (means from the same server where Apache is installed). All other requests coming from other sources to access these 2 settings will get "Access denied" error.
That's it!!!!
Note : If you have installed Apache as a subproduct of XAMPP then you will have to update the httpd_info.conf file instead of httpd.conf
The next time you get your Apache server scanned for vulnerabilities, you will not find the vulnerabilities listed above.
