[tor-onions] If you run a Tor hidden service for an Apache server, make sure you disable mod_status

Alec Muffett alec.muffett at gmail.com
Sat Jan 30 07:46:58 UTC 2016


A word for the wise...

https://wireflaw.net/blog/apache-hidden-service-vuln.html

Tor hidden service operators: your default Apache install is probably
vulnerable

TL;DR  If you run a Tor hidden service for an Apache server, make sure you
disable mod_status with:  $ a2dismod status

On most distributions, Apache ships with a handy feature called mod_status
enabled. It's a page located at /server-status that displays some
statistics, like uptime, resource usage, total traffic, enabled virtual
hosts, and active HTTP requests. For security reasons, it's only accessible
from localhost by default.

This seems fairly reasonable, until you realize the Tor daemon runs on
localhost. Consequently, any hidden service using Apache's default config
has /server-status exposed to the world. What could a malicious actor do in
that case? They could spy on potentially sensitive requests. They could
deduce the server's approximate longitude if the timezone is set. They
could even determine its IP address if a clearnet Virtual Host is present.

But this shouldn't be too much of a problem. Surely people who have taken
the time to install an advanced web server and configure a hidden service
for it have thoroughly read the documentation and disabled the offending
module.

Or not.

[continues...]


-- 
http://dropsafe.crypticide.com/aboutalecm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20160130/26b88f43/attachment.html>


More information about the tor-onions mailing list