Apache Server-Status: A Treasure Trove for Penetration Testers

What is Apache Server-Status:

An Apache Server-Status page is a built-infunctionality of the Apache HTTP server software that provides information about the current status of the server and its ongoing operations. It is typically accessible via a URL on the server and can provide information such as the number of requests being processed, the current state of each request, and the number of idle and busy workers.

From a security perspective, the Apache Server-Statuspage can be a valuable resource for understanding the behavior of the server. For example, a potential threat actor can use the information displayed on the status page to identify different paths and vHosts which could be accessed.

The Apache Server-Status page should be properly secured and only accessible to trusted parties, as it can provide sensitive information about the server and its operations. Misconfigured or improperly secured Server-Status pages can be a security vulnerability and open the door for attackers to gain unauthorized access to the server.

Apache Server-Status pages could be easily found using a directory-busting tool or fuzzer such as ffuf.

For the sake of this paper, let’s call the vulnerable target “example.com”,

and for this matter the Server-Status page is accessible at https://example.com/server-status,and looks something like this:

Let’s focus on two columns specifically: Vhost and Request.

vHosts:

First, what are vHosts?

Virtual Hosts (vHosts) are a feature of webservers that allow multiple domains to be hosted on a single server using a single IP address. Each domain is assigned a separate set of configuration settings and can have its own web content, which is served to visitors who request that domain.

This is important because different vHosts provide different services and information. For example, let’s say theexample.com server-status page shows records of requests given to 3 different vHosts: example.com (the main website), backend1.net (a backend vHost over the same server) and backend2.net. These records would look like so:

Manual testing :

At this point it is totally possible to simply go over each vHost and try to access the same path shown in the request column like so:

Or:

But! This command will not work:

This implies that the path“/sensitive-information?username=Adam” contains sensitive information that shouldn't be publicly accessible.

Automating the process:

Usually the server-status page would contain many records which could make going over them all manually a rather tedious job (not to mention the risk of missing important information).Thankfully this process could be easily automated using a simple Python script such as this one:

Digging deeper:

In some cases, we might find some interesting information regarding the system itself. For example, let’s say we tried to access backend2.net at /more-information and got the following response:

[snipped]

At first, we might be disappointed to find what seems to be a very long error, but when we look further into the response we would notice something interesting:

It appears that this vHost uses Laravel2,which has some publicly known vulnerabilities.

For example, now we can check if theLaravel.log file is accessible:

This is a critical finding on its own – since this log file can contain sensitive information about the web application and its environment. The Laravel log file is used to record events and errors that occur during the execution of the application, and it can contain sensitive information such as: Database credentials, Exception and error messages, Debug information and even User data in some cases.

Having access to this sensitive information can give an attacker a significant advantage in exploiting vulnerabilities in the web application or compromising its data and infrastructure.

Another interesting Laravel file is .env:

Which in this case, contained some DB and Gmail credentials, as well as the APP_KEY which could be used to decrypt and encrypt cookies.  

From here we could continue to otherhigh-impact vulnerabilities such as CVE-2021-3129 (Remote Code Execution) and so on.

More options:

Once we feel like we’ve tried everything Laravel could provide us, we can go back to fuzzing our new vHosts and look for some more interesting findings. In this case, we found some .svn files - this could cause some serious damage. While it is not an easy task, most security experts try to keep track of publicly available vulnerabilities, but with unlimited access to source code (which isn’t constantly tested by bug-bounty programs etc.) an attacker could potentially find their own vulnerabilities from within the source code itself – which could be nearly impossible to find and fix before exploited. .svn files can be easily extracted using a tool such as svn-extractor.py.  

Conclusion:

When conducting a penetration test it could be tempting to jump straight ahead to very complex attacks and to overlook some very simple and useful “hints”. In this case, log poisoning pops into one's mind right away as a possible attack scenario, but instead it’s a good idea to use the information provided to us by this feature (instead of trying to outright exploit it right away). This way you can explore different options and expand the scope of the penetration test – making it more thorough. This could be a valuable lesson in general, and I hope this post was helpful in explaining one example of this approach.

When dealing with a large corporation, it can be hard to keep track of misconfigurations such as the Apache Server-Status page, thankfully finding it (and many other security vulnerabilities) is easy using the ULTRA RED platform.

For further information and questions feel free to contact me at sapir@ultrared.ai.

Appendix:

1 – The -H parameter of the curl command allows us to override and/or add any HTTP Request header. In this case, we changed the Host header from what would have been “example.com” to the vHost we want to access - backend1.net.

2 - Laravel is a free, open-source PHP web application framework designed for building modern, robust, and scalable web applications. It is one of the most popular PHP frameworks and is known for its elegant syntax, modular design, and comprehensive documentation.