[MasterScrat]

Aren't the exposed client IPs at http://php.net/server-status/ a pretty big deal??

[pquerna]

FWIW, at least on apache.org, this is intentional:

http://www.apache.org/server-status

Additionally, mod_info is enabled, which lets you read nearly the entire running configuration:

http://www.apache.org/servinfo

[notatoad]

Why is that a big deal? Is exposing the public IPs of some random people really an issue?

[pjscott]

http://furry-incest-porn.xxx/server-status/

Yes, it's potentially an issue.

[notatoad]

Sure, for a skeezy site. The parent was talking specifically about php.org, I can't imagine any real risk for a site like that exposing their visitor ip log.

[julianz]

It's not just that. You can get an idea of the traffic to the site if you watch for a while. When that information might be commercially sensitive then it could be a genuine issue.

For example, nba.com has been averaging about 3 connections and 1021 idle workers while I've been watching it. That's perhaps less traffic than you might expect? I don't know, but if I were paying for ad space I might be interested.

[benjaminRRR]

Seems like a great way to test your DDOS toolset with real-world targets.

[CCs]

Can be an issue.

AOL deidentifed search data still allowed some people to be identified. When name is tied to some medical condition related search terms, it gets embarrassing...

[CCs]

http://www.healthboards.com/server-status/ now returns 404

Yesterday it was returning IP address list with associated medical condition of interest...

[jlgreco]

If there is no reason for it to be public, then it shouldn't be public, no matter how obscure the issues with it may seem to you.