This article from Michael J. Schwartz on InfomationWeek titled Apache Server Setting Mistakes Can Aid Hackers
According to a study of 10 million websites released last week, more than 2,000 sites -- including big-name businesses such as Cisco, Ford and Staples -- have left the status pages for their Apache servers visible, which could give attackers information that would help them penetrate corporate networks.
.......
.......
According to Apache documentation, the Apache mod_status module "allows a server administrator to find out how well their server is performing," via an HTML page that delivers up-to-date server statistics. "It is basically an HTML page that displays the number of [processes] working, status of each request, IP addresses that are visiting the site, pages that are being queried and things like that. All good," said Cid in a related blog post.
"However, this feature can also have security
implications if you leave it wide open to the world. Anyone would be
able to see who is visiting the site, the URLs and sometimes even find
hidden -- obscure -- admin panels or files that should not be visible to
the outside," he said. "That can help attackers easily find more
information about these environments and use them for more complex
attacks."
......
......
For more information, I encourage to read the full article on Apache Server Setting Mistakes Can Aid Hackers
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment