Earlier this week, Sucuri Security researcher Daniel Cid revealed that a very large number of popular sites expose their /server-status page to the world.
I was pretty sure the sites I run for myself and my customers were OK, but since paranoia is a good trait of a security-conscious techie, I double checked. Imagine my surprise when I found that one of my sites did the very same thing, as did one of my customer’s. Further imagine my surprise when I found that these servers, which run Debian Linux with an unmodified mod_status configuration, appeared to be properly limiting /server-status to 127.0.0.1 ::1 (that’s IPv4 and IPv6 localhost, respectively).
I tracked the problem down to this bit of configuration in the affected virtual hosts:
<Location "/"> <LimitExcept GET POST PUT DELETE> Order deny,allow Deny from all </LimitExcept> </Location>
To be clear: the more-specific Location /server-status in the global configuration appears to be overridden by the less specific Location / in a virtual host. Furthermore, Apache is actually treating that LimitExcept like this:
<Location "/"> <LimitExcept GET POST PUT DELETE> Order deny,allow Deny from all </LimitExcept> <Limit GET POST PUT DELETE> Order allow,deny Allow from all </Limit> </Location>
Is this problem actually a security bug in Apache? If so, it is much more serious than the exposure of mod_status information.