Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.
New Topic
cPanel & WHM Feature RequestsTopicWeb Servers
Properties
Category Web Servers
Tags server-status, apache, security, localhost

Secure Apache status page

Mike shared this idea 8 years ago
Open Discussion

Problem

Having the Apache status page accessible by any user is a security risk.

The status page shows for each current connection:


  • The remote IP address
  • The vhost being accessed
  • The exact path and query string being accessed

Alarmingly this could be used to steal passwords and even session keys from the query strings of other customer's websites. Sure, this information shouldn't be passed via the query string but in fact it often is. Additionally the status page can be used to determine who is visiting another customer's website and how often, even calculating analytics.

I can't see why it would ever be acceptable for http://127.0.0.1/whm-server-status to be accessible given the above. I submitted a support ticket about this but was asked to open a Feature Request here.

Proposal

As far as myself and the support rep know, the page is actually only used to display the Apache Status page within WHM (it's not used to gather statistics for cPanel or anything like that). It should therefore be safe to remove or password protect (something which I'll be testing immediately and applying to our servers if suitable). However I do think this should be default. cPanel can password protect the status page and use this password when pulling the contents to display within WHM.

4 I like this idea 0  
Leave a Comment
 
Attach a file

cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.