Apache mod_status.

This is the kind of reconnaissance that is often forgotten about. It's simple and effective. Apache has a module called mod_status, which let administrators generate a screen with server information, like requests, CPU usage, uptime and various other bits of information. Obviously such page must be protected and only accessible from 127.0.0.1 or some other intranet address. Now, call me curious but just a moment I wondered if Apache.org had installed this very same module. That is the kind of thinking I like, you expect not but try anyway. And to my amazement, they have it running in the way that you can view the server-status page remotely.

http://www.apache.org/server-status?refresh=5

The output is something like this:

Apache Server Status for www.apache.org

Server Version: Apache/2.2.8 (Unix)
Server Built: Jan 11 2008 03:41:24

Current Time: Sunday, 11-May-2008 17:41:18 GMT
Restart Time: Sunday, 27-Apr-2008 14:20:46 GMT
Parent Server Generation: 35
Server uptime: 14 days 3 hours 20 minutes 32 seconds
Total accesses: 20168279 - Total Traffic: 12463.1 GB
CPU Usage: u4793.84 s22050.7 cu0 cs0 - 2.2% CPU load
16.5 requests/sec - 10.4 MB/second - 0.6 MB/request
13 requests currently being processed, 87 idle workers

And then a full list of all requests being made on the WHOLE server:

0-35	3696	0/274/131693	_ 	1275.36	0	43	0.0	18.63	68052.16 	74.64.97.135	mail-archives.apache.org	GET /mod_mbox/incubator-heraldry-dev/?format=atom HTTP/1.1
0-35	3696	0/331/133789	_ 	1260.89	45	7	0.0	35.06	67714.56 	74.6.21.221	mail-archives.apache.org	GET /mod_mbox/httpd-cvs/199912.mbox/%3c19991224211227.29151.qma
0-35	3696	0/325/132987	_ 	1261.21	37	1	0.0	14.95	64226.60 	221.155.117.50	www.apache.org	GET /images/asf-logo.gif HTTP/1.1
0-35	3696	0/381/132079	_ 	1275.31	2	1	0.0	26.66	66800.09 	59.94.105.135	www.apache.org	GET /favicon.ico HTTP/1.1
0-35	3696	0/352/131973	_ 	1260.16	60	2	0.0	6.48	67252.40 	124.182.29.39	www.apache.org	GET /style/compressed.css HTTP/1.1
0-35	3696	0/272/133733	_ 	1258.50	66	429	0.0	2.02	66097.19 	66.249.73.69	mail-archives.apache.org	GET /mod_mbox/geronimo-servicemix-commits/200612.mbox/%3C200612
0-35	3696	0/372/132626	_ 	1207.56	64	0	0.0	8.71	67412.13 	79.67.251.89	mail-archives.apache.org	GET /archives/asf_logo_simple.png HTTP/1.1
0-35	3696	0/282/131652	_ 	1275.12	4	77	0.0	22.17	66882.72 	65.55.235.139	mail-archives.apache.org	GET /mod_mbox/httpd-cvs/200204.mbox/author HTTP/1.0
0-35	3696	0/360/132699	_ 	1271.84	10	16	0.0	3.39	65580.91 	66.249.73.69	www.apache.org	GET /dist/commons/transaction/source/?C=S;O=A HTTP/1.1
0-35	3696	0/255/132419	_ 	1253.20	71	77	0.0	16.80	65998.16 	66.249.73.69	mail-archives.apache.org	GET /mod_mbox/ofbiz-user/200609.mbox/%3C966739BB-704E-492D-93D5
0-35	3696	0/294/134198	_ 	1260.12	62	16	0.0	7.58	66850.80 	66.249.73.69	mail-archives.apache.org	GET /mod_mbox/tomcat-users/200406.mbox/%3CDFC0AAB1-B915-11D8-AB
0-35	3696	0/379/132988	_ 	1260.72	51	1	0.0	13.80	65103.83 	212.251.168.234	www.apache.org	GET /ads/ApacheCon/2007-europe-125x125.png HTTP/1.1
0-35	3696	0/334/134733	_ 	1275.05	8	271	0.0	14.26	68360.50 	192.248.8.100	www.apache.org	GET /dyn/closer.cgi/httpd/binaries/win32/ HTTP/1.0
0-35	3696	0/398/134066	_ 	1269.44	13	1	0.0	44.18	66286.38 	58.16.104.191	www.apache.org	GET /images/feather-small.gif HTTP/1.1

etc...

Now what is wrong with this picture I ask you? The answer is very simple. If I can reach this page, I can set an interval of 1 second, parse all requests remotely and grep or regex patterns out that disclose sensitive information. Since the whole server can be monitored by default, it means that somewhere sometime someone will access a protected hidden directory which we can't locate through Google. One thought further, is hardcoded sessions, tokens or passwords into a GET request which we can store for further analysis, or just real-time abuse it with CSRF or session stealing. Apache has provided a method for that as well, which let us grab the status in a machine readable format:

http://www.apache.org/server-status?auto

Another concern is information disclosure or a privacy risk for people that access the domain configured with mod_status and being indexed by Google.

Overall, it is a bad idea to leave this unprotected.