Add check for apache server info

[security-companion]

I suggest adding a check for apache server info and perl-status

see the following links for details
https://httpd.apache.org/docs/2.4/mod/mod_info.html
https://perl.apache.org/docs/2.0/api/Apache2/Status.html

[hannob]

I thought about adding the apache status page before, I didn't know about the perl status.

I'm a bit hesistant to consider these security critical as they contain no relevant information (which is unlike the server-status page from apache which can leak URL variables and is generally a privacy problem).
I am wondering if we should add them as @INFO checks (i.e. only enabled on -i/--info).

Also do you have any idea about the prevalence of the perl thing? Is apache with perl used by a lot of people?

[hannob]

Also please check the codingstyle warnings from the CI.

[drwetter]

for server-status I've seen once in a while juicy infos. like processes. That is the case IIRC when extended status is on. Otherwise it's "just" info leakage, Apache version, uptime, etc.

Google Dork: https://www.google.com/search?q=intitle:%22Apache%20Status%22%20%22Apache%20Server%20Status%20for%22

(German article): https://www.heise.de/hintergrund/Webserver-Sicherheitsluecke-Heikle-Konfigurations-und-Statusdaten-publiziert-4971830.html?seite=3

[hannob]

@drwetter to be clear snallygaster already checks for apache's server-status. This PR is about server-info.

However I figured out this PR doesn't really work. It checks for the string "Apache Status", while there is no such string on the server-info page.

[drwetter]

Apologize, Hanno. Just saw your comment wrt apache status but didn't check @joejoe2010's comment.

[security-companion]

Hi,
thank's for your feedback.
I added server-info as IMHO it contains sensitive info (eg. Server Version: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6)
An attacker could use this information to search for existing vulnerabilities in CVE listings and therefore manage to exploit the system.

I will rework the pull request and then update it.

[security-companion]

Note: Pull request is still work in progress

[hannob]

Maybe we start by doing the apache server-info and you open another issue or pr for the perl one.

After looking at this again I now believe the server-info is more severe than I previusly thought. It does not just provide version info, but basically the whole server config, I think a reasonable case can be made that this should almost never be on the public internet.

Checking for "Server Information" is too nonspecific, this will lead to false positives (occasionally one sees hosts that run a search engine based on the path you call). I think the html headline ("Apache Server Information") is a good string expected to be consistent, though the formatting is different depending on Apache versions, but I guess we can include the HTML end tag and thus use "Apache Server Information" as an identification string.

[security-companion]

It sounds good to me to leave the perl-page for another pull request.
I had chosen Server Information as this was the title of the page - (for server-status the search string also was the page title)

[security-companion]

I'm not quite sure about what you mean with the html end tag. Is it </html> ?
But in my source code of the server-info page the </html> string doesn't come after the "Apache Server information" string but at the very end of the source code.

[hannob]

My idea was to have '' at the end, but I'll merge and will fix it myself. we should do the same for server-status.

[security-companion]

Thanks for merging.
Okay, now I understand what you meant.
Although for server-status the text is a bit different
<h1>Apache Server Status for localhost (via 127.0.0.1)</h1>

So you would need to add <h1> at the beginning.