[jd]

To those who think it isn't a big deal: when GET requests are made public you can snoop "password reset links" and similar to to get access to somebody else's account. Even when developers use best practices GET request paths can leak sensitive information.

[peterwwillis]

Attacking a system is not just guessing passwords. You need to gather as much information as you can about your target and devise an attack using what you know.

Maybe it's a DNS entry or network addresses that would have been secret if not for it appearing in server-status (there's a reason AXFR from random internet clients is a bad idea). Maybe it's a client IP that accesses an admin panel, and attacking that client machine will give you the keys to the kingdom. Maybe it's a PID that's guessable and gives an insight to what a new temporary file or directory will be called, exposing a race condition. Maybe it's the very precise time information to be used for making timing attacks easier. Maybe it's the number of workers configured that lets them tune an attack to fill up resources. Maybe it's the system utilization to help them figure out if they should attack CPU, memory or i/o. Perhaps it's the server version and OS telling them what software is running and thus what exploits they should pick first.

Or maybe it's the fact that the requests can be linked to client IPs to build a profile on specific users, violating their privacy.

Whatever the reason, it's stupid to keep this information public.

[tveita]

Some of the sites at http://urlfind.org/?server-status even keep a session id in the URL -- look for PHPSESSID.

[perezbox]

Hi JD

You're right on the GET requests.. :) ..

Any attacker, pentesters, worth their salt would be able to garner some good info from this.

See reference to vulnerable soft in the post published.

Cheers.

[alanctgardner2]

I think you might mean 'garner'? Just a heads up

[perezbox]

Thanks for the heads up. Updated.