Forwarded to devs <domain>/server-status is accessible when frame forwarding configured

[lukas-degan]

Username: lukas-degan

TITLE

<domain>/server-status is accessible when frame forwarding configured

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian, Version 18.0.31 Update Nr. 2, Debian 10 64 Bit

PROBLEM DESCRIPTION

If hosting type of a domain is set to "frame forwarding", the apache status page under "https://<domain>/server-status" is public accessible. If its set for example to "permanent moved" it is not accessible.
And all this without any special manual configuration.

STEPS TO REPRODUCE

Set hosting type to "frame forwarding" and access the URL under: https://<domain>/server-status

ACTUAL RESULT

The Apache status page with many private information are accessible for everyone.

EXPECTED RESULT

The status page is not accessible without any explicit configuration.

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[IgorG]

From developer:

Plesk does not manage any server-status pages. I was able only to find KB about the manual configuration of this module to add such page for all domains (How to enable the Apache server statistics on a Plesk server). So it's not a Plesk related issue, but admin should check - does really server-status page is accessible for everyone and if so, add some kind of IP access restriction.

 

[lukas-degan]

From developer:

Plesk does not manage any server-status pages. I was able only to find KB about the manual configuration of this module to add such page for all domains (How to enable the Apache server statistics on a Plesk server). So it's not a Plesk related issue, but admin should check - does really server-status page is accessible for everyone and if so, add some kind of IP access restriction.

Hi Igor,

thx for your reply. Can i only configure this for all domains or also for specific?
I checked "/etc/apache2/mods-enabled/status.conf" and there are no manual configruations. Its the default config.

If i try to acces a domain without any redirections i get "403 Forbidden" on the "server-status" page.
I will try to set the ip restriction and give you reply soon.

 

[Atramasis]

I see it as a problem, too. If I set up a hosted website, /server-status is not accessible. But if it is a frame forwarding, than it is accessible. It should behave the same way or maybe there should be an option to enable / disable it, for security reasons.

 

[moswak]

you can protect the server status with a password request.
Example (/etc/httpd/conf/httpd.conf):

<Location / server-status>
SetHandler server-status
Order deny, allow
Deny from all
Allow from 127.0.0.1
AuthUserFile /var/www/.htpasswd
AuthName server status
AuthType Basic
Require valid-user
</Location>

## service httpd reload

 

[lukas-degan]

I found that the requests all come frome localhost. The Problem is caused by reverse proxy if requests come from localhost.
To block all requests the config must be like (/etc/apache2/mods-enabled/status.conf):

<Location /server-status>
                SetHandler server-status
                Require all denied
        </Location>

I dont know if it is a Plesk specific problem, but it schould investigated, because its a big safety risk.