One of the things that my clients like in my work that I always like to do my best in providing technical Proof of Concepts in findings I discover. This makes it easier for technical departments to reproduce the issues, and also a nice way to show how bugs and issues can be actually exploited.
I recently had an assessment where I discovered a number of publicly exposed Apache server-status instances. In case you are not familiar with Apache server-status, feel free to read this document.
When I report it initially to the company, the team thought that it would be an acceptable risk to leave it there.
I believe Apache server-status should not be accessible, as it pose a major privacy and security risk.
What Information can be exposed?
* Hidden and obscure files and directories.
* Session Tokens on GET REQUEST_URI (eg.. https://example.com/?token=123). If tokens are passed through GET HTTP method, it will be exposed, no matter what SSL encryption is used.
* All clients' IP addresses along with URLs the clients have requested.
What do we need as attackers?
Also, if we are performing an intelligence engagement, we would need all IPs that interacts with the Apache server that hosts our target website, along with requested URLs. Then we need to constantly monitor the service on the hour.
What have I done to Solve the Issue?
So, I wrote server-status PWN.
Introducing server-status PWN
Example Tool Output:
The tool basically did exactly what I needed, if anyone have additional ideas that would like to push it into server-status_PWN, let me know and I will be happy to implement it.
server-status_PWN Homepage: https://github.com/mazen160/server-status_PWN
If you have a project or would like your application/network to be tested, I provide freelancing penetration testing services. Feel free to email me at <Mazin AT MazinAhmed DOT net>, and check the Hire Me page.
[February 20, 2017] Update:The Apache Foundation has made changes to their official Apache server-status instance, which was made available at: https://www.apache.org/server-status
Initially, it was publicly and intentionally accessible. Now, it shows a large notice stating that the data is "static data" and do not hold any users' data or information. Great job as always by Apache Foundation in protecting the user's security and privacy.