$5000 Apache /server-status pagePosted on 2019-04-19
This is my first write-up, also my 50th bug found on Bugcrowd. Hope you'll enjoy it as much as I did finding this. It is an extremely simple yet critical bug that I found while searching on a target. The application used requests in the background that contained
token in the URL, eg:
GET https://www.bugbountynotes.com/user/me?token=abc HTTP/1.1 which displayed the currently authenticated users data.
The app was running on Apache and was vulnerable to a Host-Header injection attack.
Accessing the Apache /server-status page was this simple:
GET /server-status HTTP/1.1 Host:localhost
By changing the host header to localhost I was able to access /server-status and see the current requests handled by the server. There is an option in mod_status called
SeeRequestTail (is off by default) which means only the first 63 characters of a request are being displayed in /server-status, luckily the tokens and the exact endpoints were not that long - they fit in the 63 character restriction - so I was able to steal the tokens, which were critical part of the application hence the generous bounty.
Reading /server-status alone might not be considered a vulnerability in every case, but this was a special one because the token handling of the application.