Summary #

Invicti detected that Apache server-status is enabled.

Information disclosed from this page can be used to gain additional information about the target system.

Impact #
An attacker can gather reconnaissance information about the internals of the target web server, such as:
  • Server uptime
  • Individual request-response statistics and CPU usage of the working processes
  • Current HTTP requests, client IP addresses, requested paths, and processed virtual hosts
This type of information can help the attacker gain a greater understanding of the system in use and the other potential avenues of attack available.
Remediation #
We recommend disabling this functionality. Comment out the Location/server-info section from Apache configuration file httpd.conf (for Redhat, Centos, Fedora) or apache2.conf (for Debian, Ubuntu).
Classifications #
CAPEC-347; CWE-16; ISO27001-A.18.1.3; WASC-14; OWASP 2013-A5; OWASP 2017-A6 , CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo