enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #10986
[Bug 2121819] [NEW] Insecure inheritance of /server-status handler in vhosts due to Require all granted overrides
Public bug reported:
On a default Ubuntu Apache2 installation, the status.conf shipped with
mod_status enables /server-status globally with:
<Location /server-status>
SetHandler server-status
Require local
</Location>
At first glance, this looks safe, because access is restricted to
localhost.
However, if any virtual host defines a broad <Location /> rule with
Require all granted (a common pattern when hardening vhost-specific
access rules), the effect is that the /server-status handler is still
inherited by that vhost — but without the intended access restriction.
Steps to reproduce:
Enable mod_status.
Leave the default /etc/apache2/mods-enabled/status.conf untouched.
Create a vhost like:
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html
<Location />
Require all granted
</Location>
</VirtualHost>
Visit http://example.com/server-status from a remote host.
→ The server-status page is exposed publicly, bypassing the Require local in the global config.
Expected result:
Either /server-status should not be inherited into vhosts at all by
default, or
Its restrictions should not be overridden unintentionally by broad
<Location /> rules.
Actual result:
/server-status is exposed publicly if a vhost applies Require all
granted globally.
Security impact:
This constitutes an information disclosure vulnerability: internal
status pages (with request and performance details) are visible to
remote clients.
Suggested fix:
Ship a more defensive status.conf. For example:
Provide /server-status only on a dedicated “admin vhost” bound to
127.0.0.1:
<VirtualHost 127.0.0.1:80>
<Location /server-status>
SetHandler server-status
Require ip 127.0.0.1
</Location>
</VirtualHost>
** Affects: apache2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2121819
Title:
Insecure inheritance of /server-status handler in vhosts due to
Require all granted overrides
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2121819/+subscriptions