On 22/06/2010 12:40 a.m., Jim Jagielski wrote:
There have been a few reports regarding how server-status "leaks"
info, mostly about our (the ASF's) open use of server-status and
how IP addresses are exposed.
I'm thinking about a patch that adjusts server-status/mod_status
to have a "public vs. private" setting... Public would be to
have IP addresses exposed as public info; private would be to
not expose 'em (keep 'em private).
Comments?
I can't believe when I informed apache.org of this issue 70 days ago,
that the immediate response wasn't simply to disable server-status or
restrict it to clients from within Apache's network. It is a completely
unreasonable violation of your customer's privacy to broadcast their IP
addresses and viewing habits.
I sat and sniffed server-status today for an hour and saw lots of
interesting things. These people thought it was interesting too:
Client - Requests for "/server-status?auto"
'121.2.73.140', '2'
'204.232.198.45', '18'
'209.40.196.203', '261'
'217.193.165.235', '27'
'222.73.44.146', '10'
'222.73.45.200', '15'
'222.73.68.35', '7'
'222.73.86.253', '17'
'61.57.131.230', '100'
'62.49.67.115', '18'
'64.27.116.177', '3'
'67.188.126.141', '3'
'67.199.134.1', '62'
'68.87.42.115', '13'
'69.70.70.186', '12'
'74.103.140.133', '172'
'81.0.134.157', '1'
'92.106.225.35', '42'
Client - Requests for "/server-status"
'118.90.8.44', '550' <- That's me
'119.63.88.205', '80'
'187.34.7.120', '1'
'217.193.165.235', '16'
'222.73.68.35', '1'
'60.195.252.106', '24'
'64.27.116.177', '12'
'68.87.42.115', '68'
'81.0.134.157', '37'
'92.106.225.35', '1'
Cheers,
Nicholas Sherlock
