Popular Sites with Apache mod_status Enabled

Earlier this week, Sucuri Security researcher Daniel Cid revealed that a very large number of popular sites expose their /server-status page to the world.

I was pretty sure the sites I run for myself and my customers were OK, but since paranoia is a good trait of a security-conscious techie, I double checked. Imagine my surprise when I found that one of my sites did the very same thing, as did one of my customer’s. Further imagine my surprise when I found that these servers, which run Debian Linux with an unmodified mod_status configuration, appeared to be properly limiting /server-status to 127.0.0.1 ::1 (that’s IPv4 and IPv6 localhost, respectively).

I tracked the problem down to this bit of configuration in the affected virtual hosts:

<Location "/">
    <LimitExcept GET POST PUT DELETE>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Location>

To be clear: the more-specific Location /server-status in the global configuration appears to be overridden by the less specific Location / in a virtual host. Furthermore, Apache is actually treating that LimitExcept like this:

<Location "/">
    <LimitExcept GET POST PUT DELETE>
        Order deny,allow
        Deny from all
    </LimitExcept>
    <Limit GET POST PUT DELETE>
        Order allow,deny
        Allow from all
    </Limit>
</Location>

Is this problem actually a security bug in Apache? If so, it is much more serious than the exposure of mod_status information.