Security researchers have discovered that thousands of popular websites are putting their users’ data at risk by leaking internal status information.
The sites in question include a host of well known names and should-know-betters including Ford, Tweetdeck, Webex, Php.net and Staples.
Most of the sites are only leaking enough information to give attackers a window into their server’s internals – something that might be a useful stepping stone in formulating a more complex attack.
But as Dan Goodin illustrated in his article at Ars Technica in a few cases the doors are being flung wide open. Some of the sites are exposing information that an attacker could use to compromise or gain access to a website such as session IDs, passwords and in one case the address of an unprotected admin panel.
The organisations in question are all running websites using the popular apache web server but haven’t restricted access to its server status module mod_status. According to Apache (my emphasis) their server status module:
…allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form.
The leaky websites were first discovered by web security firm Sucuri, who performed an automated scan of 10 million websites and found 2,072 that hadn’t hidden their server status pages.
This was followed up by an even more revealing scan by HD Moore, chief architect of the Metasploit penetration testing software framework. He pulled a list of the top 100,000 websites from Alexa and repeated the scan.
Moore found 1,774 with exposed server status pages, about 12 that were leaking session IDs and 6 that were leaking passwords.
So long as you’re not one of the users whose passwords are being exposed you might think this isn’t so bad, after all the overwhelming majority of sites scanned weren’t leaking passwords.
But Moore’s scan only took 45 minutes. Organised criminals don’t care about failure rates they care about getting a return on their investment and the time, cost and effort in scaling Moore’s scan to hundreds of millions of websites is likely to be negligible.
For some organisations making a server-status page publicly available is a deliberate and considered step but for the majority its no more than a failure to observe the principle of least privilege.
If users don’t need to see server status information they shouldn’t be able to see it.
Adopting the principle of least privilege saves you from having to anticipate how attackers might use apparently harmless information against you.
If you’re running the apache web server and you don’t need mod_status you should disable it.
If you do need to run mod_status then the apache.org website has a full and complete explanation of apache’s authentication and authorisation options.
The mod_status page itself also details how to restrict access to a particular domain or network.