New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add check for apache server info #61
Conversation
add check for apache server info and perl-status
I thought about adding the apache status page before, I didn't know about the perl status. I'm a bit hesistant to consider these security critical as they contain no relevant information (which is unlike the server-status page from apache which can leak URL variables and is generally a privacy problem). Also do you have any idea about the prevalence of the perl thing? Is apache with perl used by a lot of people? |
Also please check the codingstyle warnings from the CI. |
for server-status I've seen once in a while juicy infos. like processes. That is the case IIRC when extended status is on. Otherwise it's "just" info leakage, Apache version, uptime, etc. Google Dork: https://www.google.com/search?q=intitle:%22Apache%20Status%22%20%22Apache%20Server%20Status%20for%22 (German article): https://www.heise.de/hintergrund/Webserver-Sicherheitsluecke-Heikle-Konfigurations-und-Statusdaten-publiziert-4971830.html?seite=3 |
@drwetter to be clear snallygaster already checks for apache's server-status. This PR is about server-info. However I figured out this PR doesn't really work. It checks for the string "Apache Status", while there is no such string on the server-info page. |
Apologize, Hanno. Just saw your comment wrt apache status but didn't check @joejoe2010's comment. |
Hi, I will rework the pull request and then update it. |
Note: Pull request is still work in progress |
Maybe we start by doing the apache server-info and you open another issue or pr for the perl one. After looking at this again I now believe the server-info is more severe than I previusly thought. It does not just provide version info, but basically the whole server config, I think a reasonable case can be made that this should almost never be on the public internet. Checking for "Server Information" is too nonspecific, this will lead to false positives (occasionally one sees hosts that run a search engine based on the path you call). I think the html headline ("Apache Server Information") is a good string expected to be consistent, though the formatting is different depending on Apache versions, but I guess we can include the HTML end tag and thus use "Apache Server Information" as an identification string. |
It sounds good to me to leave the perl-page for another pull request. |
I'm not quite sure about what you mean with the html end tag. Is it |
My idea was to have '' at the end, but I'll merge and will fix it myself. we should do the same for server-status. |
Thanks for merging. So you would need to add |
I suggest adding a check for apache server info and perl-status
see the following links for details
https://httpd.apache.org/docs/2.4/mod/mod_info.html
https://perl.apache.org/docs/2.0/api/Apache2/Status.html