apache: /server-status page publicly visible through Tor or Pagekite
The /server-status
page is only meant to be viewable from localhost. But since Tor onion service and Pagekite connections are treated as local, the page is publicly visible through those. (I only tested Tor, but I assume Pagekite will do the same.)
The issue was reported on IRC, so it is somewhat public knowledge already.
-
Disable mod_status, or require authorization for /server-status
location. -
Make an announcement on the forum, mailing list, and social media with instructions so users running Pagekite or Tor Onion Service can quickly disable mod_status with sudo a2dismod status && sudo systemctl restart apache2
.
Edited by James Valleroy