Check: WA00510 A24
Apache Server 2.4 Unix:
WA00510 A24
(in version v1 r1)
Title
Web server status module must be disabled. (Cat II impact)
Discussion
The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module provides current server performance statistics. While having server configuration and status information available as a web page may be convenient, it is recommended that these modules not be enabled: Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc. If mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess) and may have security-related ramifications.
Check Content
Enter the following command: httpd -M | grep -e "info" -e "status" If any of the following modules are found, this is a finding. info_module status_module
Fix Text
Edit the httpd.conf file and disable the following modules: info_module status_module
Additional Identifiers
Rule ID:
Vulnerability ID: V-26294
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |