In association with heise online

01 November 2012, 09:35

Tell-tale status pages

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Network Globe icon Many web servers, including those of banks, porn sites and other types of online portals, publish their users' security or privacy-related information on status pages that are publicly available. The problem is caused by the originally harmless mod_status Apache module – or rather by the careless way in which many administrators handle this useful tool.

The module uses the /server-status page to present system load information that includes currently active connections – complete with clients' URLs and IP addresses. This information is useful to the administrator, but it could become a problem in the wrong hands. If, for example, an adult web site publishes the user-specific IP addresses of customers, or German courier company Deutsche Post at least partially discloses the session IDs of its PostpayGerman language link payment service transactions that have just been completed, it becomes clear that this information is definitely worth protecting.

Zoom A payment processing service's session ID is definitely worth protecting as it allows attackers to hijack a logged-in user's session

Still, hundreds of servers make this information freely available to anyone and easily found using search engines. Shortly after the problem became known, Santander bank blocked the access to its status page; however, at least one German bank has yet to react to the issue. Even seemingly harmless information may disclose path, server name or parameters that can potentially be useful for the preparation of an attack. Security-conscious administrators should, therefore, at least restrict the access to such information to specific IP addresses or request that visitors authenticate themselves.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit