• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Forwarded to devs <domain>/server-status is accessible when frame forwarding configured

L

lukas-degan

Basic Pleskian
Username: lukas-degan

TITLE

<domain>/server-status is accessible when frame forwarding configured

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian, Version 18.0.31 Update Nr. 2, Debian 10 64 Bit

PROBLEM DESCRIPTION

If hosting type of a domain is set to "frame forwarding", the apache status page under "https://<domain>/server-status" is public accessible. If its set for example to "permanent moved" it is not accessible.
And all this without any special manual configuration.

STEPS TO REPRODUCE

Set hosting type to "frame forwarding" and access the URL under: https://<domain>/server-status

ACTUAL RESULT

The Apache status page with many private information are accessible for everyone.

EXPECTED RESULT

The status page is not accessible without any explicit configuration.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
From developer:

Plesk does not manage any server-status pages. I was able only to find KB about the manual configuration of this module to add such page for all domains (How to enable the Apache server statistics on a Plesk server). So it's not a Plesk related issue, but admin should check - does really server-status page is accessible for everyone and if so, add some kind of IP access restriction.
 
IgorG said:
From developer:

Plesk does not manage any server-status pages. I was able only to find KB about the manual configuration of this module to add such page for all domains (How to enable the Apache server statistics on a Plesk server). So it's not a Plesk related issue, but admin should check - does really server-status page is accessible for everyone and if so, add some kind of IP access restriction.
Click to expand...
Hi Igor,

thx for your reply. Can i only configure this for all domains or also for specific?
I checked "/etc/apache2/mods-enabled/status.conf" and there are no manual configruations. Its the default config.

If i try to acces a domain without any redirections i get "403 Forbidden" on the "server-status" page.
I will try to set the ip restriction and give you reply soon.
 
I see it as a problem, too. If I set up a hosted website, /server-status is not accessible. But if it is a frame forwarding, than it is accessible. It should behave the same way or maybe there should be an option to enable / disable it, for security reasons.
 
you can protect the server status with a password request.
Example (/etc/httpd/conf/httpd.conf):

<Location / server-status>
SetHandler server-status
Order deny, allow
Deny from all
Allow from 127.0.0.1
AuthUserFile /var/www/.htpasswd
AuthName server status
AuthType Basic
Require valid-user
</Location>

## service httpd reload
 
I found that the requests all come frome localhost. The Problem is caused by reverse proxy if requests come from localhost.
To block all requests the config must be like (/etc/apache2/mods-enabled/status.conf):
Code: 
<Location /server-status>
                SetHandler server-status
                Require all denied
        </Location>

I dont know if it is a Plesk specific problem, but it schould investigated, because its a big safety risk.
 
You must log in or register to reply here.

Similar threads

K
Resolved No confirmation given when changing Hosting type from Forwarding to Website, risk of PleskFatalException
Replies
7
Views
1K
Peter Debik
P
K
Forwarded to devs Custom domain name configured for autodiscovery not used for iOS QR code
Replies
2
Views
374
Peter Debik
P
K
Resolved Mail 'application user' has access to WPT by default
Replies
4
Views
968
mow
M
D
GIT extension 2.5.2 does not save token
Replies
0
Views
120
Duarte N
D
K
Resolved No DKIM key generated/shown when DNS component is not installed
2
Replies
25
Views
5K
Quotes
Quotes
Back
Top