Apache mod_status /server-status Information Disclosure
Discovered by vijay922 on Tomtom

This issue took 0 Days and 9 hours to triage and 42 Days and 14 hours to resolve once triaged.



Description It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the URL '/server-status'. This overview includes information such as current hosts and requests being processed, the number of workers idle and service requests, and CPU utilization.

Steps to Reproduce

1) Navigate to URL http://mail.tomtom.com/server-status and click on enter 2) It can be observed the server logs can be seen clearly

Impact

Impact An attacker can gather information about the internals of the target web server, such as: • Server uptime • Individual request-response statistics and CPU usage of the working processes • Current HTTP requests, client IP addresses, requested paths, and processed virtual hosts This type of information can help the attacker gain a greater understanding of the system in use and the other potential avenues of attack available.