Apache stronghold-status enabled
Description
The Apache Stronghold /stronghold-status endpoint is publicly accessible, exposing detailed server configuration information. Apache Stronghold is a hardened commercial web server based on Apache HTTP Server. When this status page is enabled, it reveals internal server details including loaded modules, configuration directives, and runtime statistics. Organizations not actively using this monitoring feature should disable it to reduce their attack surface.
Remediation
Disable the /stronghold-status endpoint if it is not required for monitoring purposes. To remediate this issue:
1. Locate your Apache Stronghold configuration file (typically httpd.conf or stronghold.conf)
2. Remove or comment out the stronghold-status location directive:
# Comment out or remove these lines: # <Location /stronghold-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from localhost # </Location>3. If monitoring is required, restrict access to trusted IP addresses only:
<Location /stronghold-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Replace with your trusted network range
</Location>4. Restart Apache Stronghold to apply changes5. Verify the endpoint is no longer publicly accessible by testing from an external network