To those who think it isn't a big deal: when GET requests are made public you can snoop "password reset links" and similar to to get access to somebody else's account. Even when developers use best practices GET request paths can leak sensitive information.
Site is down for me, but I thought we agreed last time this was on HN it wasn't really that big of a deal..<p>Previous discussion: <a href="http://news.ycombinator.com/item?id=4661625" rel="nofollow">http://news.ycombinator.com/item?id=4661625</a>
You've got to watch this... Apache typically limits this to localhost, but if you use squid as a reverse proxy (quite common) then you can see this easily being exposed since all requests will appear to come from the local machine.
Even a cursory scan of the <a href="http://urlfind.org/?server-status" rel="nofollow">http://urlfind.org/?server-status</a> list reveals scads of porn sites exposing their visitor's IP addresses:<p>(Note these links go to Apache server-status pages at the time of linking. This may change if the server admins wise up - to be on the safe side consider them NSFW):<p><pre><code> http://black-tgirls.com/server-status
http://badexgfs.com/server-status
http://tubepornx.com/server-status
http://lesbianvalley.net/server-status
..... and many more .....
</code></pre>
Personally, I don't care what consenting adults do with their genitals. But I think it's safe to assume that the visitors to these sites expect a certain level of privacy that's not being met.
This can also lead to DOS issues, as I understand it, the Apache server-status pages are very computationally intensive to produce, and it requires stopping and polling every child.<p>Something like<p><Location /server-status><p><pre><code> SetHandler server-status
Order Deny,Allow
Deny from all
Allow from 10.0.0.0/24
</code></pre>
</Location><p>(where 10.0.0.0 is your local network range) will prevent external requests. This is mentioned in the linked through Apache documentation.
It's also entertaining to google around for nagios dashboards open to the public, e.g.<p><a href="https://www.google.com/search?q=%22View+Host+Status+Detail%22" rel="nofollow">https://www.google.com/search?q=%22View+Host+Status+Detail%2...</a>
Back around 13 years ago I believe the default to have it enabled was changed. That said alot of sites carrier on leaking that way, ft.com was one - even after it was pointed out to them. Eventualy they changed things when I mentioned it to IBM rep who also dealt with FT's account, nice rep.<p>I can see how it can end up being enabled and left open, but it is also that level of administration that opens you up to other more concerning issues, this is a concerning issue for many reasons. If you had a firewall that blocked off by default not exprecitly allowed(with good wildcarding when needed on sub directory's) remote access to everything not the main public site then that would of caught it. If you had a access control , that again would of controled it.<p>Only way some companies will learn is to be hacked or being done under the laws for leaking private data. So if you go onto a sight like that, tell there admin they are in breach of the applicable data protection/privacy laws you have that can cover such things. Then if they don't fix it, cash in on there stupidity and sue them, you get paid for your time and they pay for there crime and learn the only way some do learn. Don't hack them, no need, just use the law. Or get a patent on bad administration and use that to claim back royalties. Crazy approach, but if you have the money to cater for such whims, let us all know how it pans out, profitable and educational for the patent system. Who would contest and claim prior art on stupidity of administrating computers, you would get your money worth in laughs if nothing else.<p>Short version, this is a old issue and you are also breaking data protection/privacy laws - be warned. If you see it, warn them and feel free to educate them via the legal cashmachine.
I found another way to search for a similar status page when trolling for network traffic.<p>Some sample Google queries for the curious:<p><pre><code> intitle:"apache status" inurl:server-status
inurl:web-console/ "jboss Management Console"
</code></pre>
Edited to add more:<p><pre><code> inurl:"/status?full=true"</code></pre>
Another issue we identified is that you can find those "hidden" admin panel or URLs that shouldn't be known to the outside, by just refreshing the page a few times and checking all requests.<p>It is not a best practice, but some companies do and it makes easier for those to be found.<p>thanks,
Someone from tweetdeek frequents this site, because it is fixed there. I am just interested in how busy this sites are. From my quick views Ford and Staples were the busiest.
Another report:
/server-status/?notable<p>Example:<p><a href="http://apache.org/server-status/?notable" rel="nofollow">http://apache.org/server-status/?notable</a>