Apache perl-status enabled
Description
The Apache2::Status module provides a web-accessible interface that displays detailed information about the Perl interpreter embedded in the Apache web server. When enabled and publicly accessible, this status page exposes internal server configuration details, loaded modules, environment variables, and interpreter state information. This information disclosure can assist attackers in identifying software versions, understanding the server's internal architecture, and planning targeted attacks against known vulnerabilities.
Remediation
Disable the Apache2::Status module entirely if it is not required for operational purposes. If the status page is needed for monitoring or debugging, restrict access using IP-based authentication to allow only trusted administrative networks. To disable, remove or comment out the relevant configuration in your Apache configuration file:
<Location /perl-status> SetHandler perl-script PerlResponseHandler Apache2::Status </Location>
To restrict access by IP address, modify the configuration as follows:
<Location /perl-status> SetHandler perl-script PerlResponseHandler Apache2::Status Require ip 192.168.1.0/24 Require ip 10.0.0.5 </Location>
After making changes, validate the configuration with
apachectl configtest and restart Apache to apply the changes.