enterprise-support team mailing list archive

Thread
Date

[Bug 2121819] [NEW] Insecure inheritance of /server-status handler in vhosts due to Require all granted overrides

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Bernhard Haumacher <2121819@xxxxxxxxxxxxxxxxxx>
Date: Mon, 01 Sep 2025 17:00:38 -0000
Reply-to: Bug 2121819 <2121819@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

On a default Ubuntu Apache2 installation, the status.conf shipped with
mod_status enables /server-status globally with:

<Location /server-status>
    SetHandler server-status
    Require local
</Location>

At first glance, this looks safe, because access is restricted to
localhost.

However, if any virtual host defines a broad <Location /> rule with
Require all granted (a common pattern when hardening vhost-specific
access rules), the effect is that the /server-status handler is still
inherited by that vhost — but without the intended access restriction.

Steps to reproduce:

    Enable mod_status.

    Leave the default /etc/apache2/mods-enabled/status.conf untouched.

    Create a vhost like:

    <VirtualHost *:80>
        ServerName example.com
        DocumentRoot /var/www/html
        <Location />
            Require all granted
        </Location>
    </VirtualHost>

    Visit http://example.com/server-status from a remote host.
    → The server-status page is exposed publicly, bypassing the Require local in the global config.

Expected result:

    Either /server-status should not be inherited into vhosts at all by
default, or

    Its restrictions should not be overridden unintentionally by broad
<Location /> rules.

Actual result:

    /server-status is exposed publicly if a vhost applies Require all
granted globally.

Security impact:

This constitutes an information disclosure vulnerability: internal
status pages (with request and performance details) are visible to
remote clients.

Suggested fix:

Ship a more defensive status.conf. For example:

    Provide /server-status only on a dedicated “admin vhost” bound to
127.0.0.1:

<VirtualHost 127.0.0.1:80>
    <Location /server-status>
        SetHandler server-status
        Require ip 127.0.0.1
    </Location>
</VirtualHost>

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2121819

Title:
  Insecure inheritance of /server-status handler in vhosts due to
  Require all granted overrides

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2121819/+subscriptions