Apache Server-Status Detected

Severity: Medium
Summary#

Invicti detected that Apache server-status is enabled.

Information disclosed from this page can be used to gain additional information about the target system.

Impact#
An attacker can gather reconnaissance information about the internals of the target web server, such as:
  • Server uptime
  • Individual request-response statistics and CPU usage of the working processes
  • Current HTTP requests, client IP addresses, requested paths, and processed virtual hosts
This type of information can help the attacker gain a greater understanding of the system in use and the other potential avenues of attack available.
Remediation#
We recommend disabling this functionality. Comment out the Location/server-info section from Apache configuration file httpd.conf (for Redhat, Centos, Fedora) or apache2.conf (for Debian, Ubuntu).

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works