Apache Server-Status Detected

Summary#

Invicti detected that Apache server-status is enabled.

Information disclosed from this page can be used to gain additional information about the target system.

Impact#

An attacker can gather reconnaissance information about the internals of the target web server, such as:

Server uptime
Individual request-response statistics and CPU usage of the working processes
Current HTTP requests, client IP addresses, requested paths, and processed virtual hosts

This type of information can help the attacker gain a greater understanding of the system in use and the other potential avenues of attack available.

Remediation#

We recommend disabling this functionality. Comment out the Location/server-info section from Apache configuration file httpd.conf (for Redhat, Centos, Fedora) or apache2.conf (for Debian, Ubuntu).

Classifications#

WASC-14, OWASP 2013-A5, CWE-16, CAPEC-347, OWASP 2017-A6, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C, ISO27001-A.18.1.3

Apache Server-Status Detected

Related Articles

Build your resistance to threats. And save hundreds of hours each month.