This is a short article to pinpoint a recent finding I have discovered in many targets. TBH, it’s an easy one that can be leveraged during recon and info gathering. However, I did not know about it until I found it lately.
During the “fuzzing” process I found the Apache /server-status webpage of the target. Some automated scanners might detect the exposure of it.
This webpage displays information about your Apache status along with other important information.
Some platforms consider the disclosure of the /server as a vulnerability by itself. While others consider it informational UNLESS there’s sensitive data (e.g. tokens, passwords, etc…) and the cloud be triaged P4-P2 depending on the severity of the information displayed there.
How to take more advantage of this vulnerability?
— As I mentioned earlier, in some cases the exposure of /server-status might not be triaged as a valid finding by itself. However, This page may include information about private directories and resources. You can try visiting these directories and files may not be protected and you can access them.
— This may also include internal API documentations, tokens and login attempts with user’s credentials that can be found in the requests displayed within this webpage.
Tip: add this directory “/server-status” to your fuzzing wordlist (for targets that run Apache servers)
For more references: