Misconfigured Apache sites expose user passwords, other private data

http://cdn.arstechnica.net/wp-content/uploads/2012/11/exposed-password-redacted.png

More than 2,000 websites—some operated by Fortune 500 companies, game sites, and retail outlets—are exposing system status information that can be used by attackers to compromise Web servers or customer accounts, a recent research project found.

Sites such as staples.com, cisco.com, and axtel.mx run the popular Apache webserver application with a feature known as server-status enabled, according to Daniel Cid, CTO of Web security firm Sucuri. He scanned more than 10 million websites and found 2,072 that left the status page wide open.

The pages display the number of processes running on a Web server, the status of various Web requests, and other data that can be invaluable to site administrators. But the same data—which can also include the full URL they're visiting—can also be helpful to attackers who want to compromise the customers or users visiting the site. Site admins have long been admonished to keep those pages from being visible to the outside world unless they have a good reason for doing otherwise and have thought through the decision carefully.

Tags: