Vulnerabilities / Threats
11/2/2012
02:36 PM
Connect Directly
RSS
E-Mail
50%
50%

Apache Server Setting Mistakes Can Aid Hackers

Numerous large companies that use free Apache server software leave internal status pages visible, which can help hackers exploit networks.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Apache server administrators: Have you hidden your status pages?

According to a study of 10 million websites released last week, more than 2,000 sites -- including big-name businesses such as Cisco, Ford and Staples -- have left the status pages for their Apache servers visible, which could give attackers information that would help them penetrate corporate networks.

That research comes via Daniel Cid, CTO of Sucuri, who published a list of 2,072 websites that Sucuri Malware Labs identified as having exposed Apache status pages.

According to Apache documentation, the Apache mod_status module "allows a server administrator to find out how well their server is performing," via an HTML page that delivers up-to-date server statistics. "It is basically an HTML page that displays the number of [processes] working, status of each request, IP addresses that are visiting the site, pages that are being queried and things like that. All good," said Cid in a related blog post.

"However, this feature can also have security implications if you leave it wide open to the world. Anyone would be able to see who is visiting the site, the URLs and sometimes even find hidden -- obscure -- admin panels or files that should not be visible to the outside," he said. "That can help attackers easily find more information about these environments and use them for more complex attacks."

[ Shore up your defenses and trick attackers into revealing their identities. See 9 Facts: Play Offense Against Security Breaches. ]

Thankfully, there's a simple fix, said Cid: "For server admins, please disable server-status or restrict it to only a set of IP addresses that really need to use it."

By Monday, seven of 13 big-name sites highlighted by Cid in his blog post -- including CloudFlare, Disney and TweetDeck -- had hidden their status pages in response, while Apache.com, Cisco.com, Ford.com, MetCafe, Staples and Yellow Pages had not.

Security experts recommend that all Apache administrators verify that their installations aren't exposing server status information. "I was pretty sure the sites I run for myself and my customers were OK, but since paranoia is a good trait of a security-conscious techie, I double checked," said developer Steve Madsen in a blog post. "Imagine my surprise when I found that one of my sites did the very same thing, as did one of my customer's."

What was the issue? He traced the problem to how the virtual hosts were configured, but said that Apache may also be mishandling one of the Debian Linux variables involved. "Is this problem actually a security bug in Apache? If so, it is much more serious than the exposure of mod_status information," he said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.