https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30439 Bug ID: 30439 Summary: Apache server status module is exposed publicly on Koha bytemark hosted websites Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: james@jmwhite.co.uk QA Contact: testopia@bugs.koha-community.org Hi, My name is James White, I'm a Web Developer at Nottingham College. A member of the public through responsible disclosure has alerted us to the fact that our Koha library site at: https://library.nottinghamcollege.ac.uk currently has the Apache Server Status module publicly exposed and is accessible through any IP address: https://library.nottinghamcollege.ac.uk/server-status This reveals various server information as well as network requests, which could potentially expose sensitive information such as tokens, CSRF etc. My investigation has identified this service is hosted by Bytemark, which I assume is some form of cloud hosting agreement with yourselves, but I could be wrong as I'm not able to verify our exact relationship with Koha internally at this time. However, I'm hoping by reporting it here that is can get to the right place. I also found another Koha site also hosted on Bytemark which is also exposing the Apache server status information: https://koha.lboro.ac.uk/server-status, so it suggests it's likely happening for other Koha hosted sites through this platform. Ideally, the server status module needs to be restricted to localhost or trusted subnets, not the public WAN. Thanks, James -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.