[Koha-bugs] [Bug 30439] New: Apache server status module is exposed publicly on Koha bytemark hosted websites

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Sat Apr 2 15:56:36 CEST 2022 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30439

            Bug ID: 30439
           Summary: Apache server status module is exposed publicly on
                    Koha bytemark hosted websites
 Change sponsored?: ---
           Product: Koha
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Architecture, internals, and plumbing
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: james at jmwhite.co.uk
        QA Contact: testopia at bugs.koha-community.org

Hi,

My name is James White, I'm a Web Developer at Nottingham College. A member of
the public through responsible disclosure has alerted us to the fact that our
Koha library site at: https://library.nottinghamcollege.ac.uk currently has the
Apache Server Status module publicly exposed and is accessible through any IP
address: https://library.nottinghamcollege.ac.uk/server-status

This reveals various server information as well as network requests, which
could potentially expose sensitive information such as tokens, CSRF etc.

My investigation has identified this service is hosted by Bytemark, which I
assume is some form of cloud hosting agreement with yourselves, but I could be
wrong as I'm not able to verify our exact relationship with Koha internally at
this time.

However, I'm hoping by reporting it here that is can get to the right place. I
also found another Koha site also hosted on Bytemark which is also exposing the
Apache server status information: https://koha.lboro.ac.uk/server-status, so it
suggests it's likely happening for other Koha hosted sites through this
platform.

Ideally, the server status module needs to be restricted to localhost or
trusted subnets, not the public WAN.

Thanks,

James

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.

More information about the Koha-bugs mailing list