[Koha-bugs] [Bug 30439] New: Apache server status module is exposed publicly on Koha bytemark hosted websites
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sat Apr 2 15:56:36 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30439
Bug ID: 30439
Summary: Apache server status module is exposed publicly on
Koha bytemark hosted websites
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: koha-bugs at lists.koha-community.org
Reporter: james at jmwhite.co.uk
QA Contact: testopia at bugs.koha-community.org
Hi,
My name is James White, I'm a Web Developer at Nottingham College. A member of
the public through responsible disclosure has alerted us to the fact that our
Koha library site at: https://library.nottinghamcollege.ac.uk currently has the
Apache Server Status module publicly exposed and is accessible through any IP
address: https://library.nottinghamcollege.ac.uk/server-status
This reveals various server information as well as network requests, which
could potentially expose sensitive information such as tokens, CSRF etc.
My investigation has identified this service is hosted by Bytemark, which I
assume is some form of cloud hosting agreement with yourselves, but I could be
wrong as I'm not able to verify our exact relationship with Koha internally at
this time.
However, I'm hoping by reporting it here that is can get to the right place. I
also found another Koha site also hosted on Bytemark which is also exposing the
Apache server status information: https://koha.lboro.ac.uk/server-status, so it
suggests it's likely happening for other Koha hosted sites through this
platform.
Ideally, the server status module needs to be restricted to localhost or
trusted subnets, not the public WAN.
Thanks,
James
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list