Web server status module must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-26294	WA00510 W22	SV-33171r2_rule	ECAN-1	Medium

Description
The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module provides current server performance statistics. While having server configuration and status information available as a web page may be convenient, it is recommended that these modules not be enabled: Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc. If mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess) and may have security-related ramifications.

Description

The Apache mod_info module provides information on the server configuration via access to a /server-info URL location, while the mod_status module provides current server performance statistics. While having server configuration and status information available as a web page may be convenient, it is recommended that these modules not be enabled: Once mod_info is loaded into the server, its handler capability is available in per-directory .htaccess files and can leak sensitive information from the configuration directives of other Apache modules such as system paths, usernames/passwords, database names, etc. If mod_status is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., .htaccess) and may have security-related ramifications.

STIG	Date
APACHE SERVER 2.2 for Windows	2015-08-27

Details

Check Text ( C-33808r3_chk )
Open a command prompt window. Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>). Enter the following command: httpd –M NOTE: Some installations may be running under apache.exe. In such case, validate by running the following command: apache -M This will provide a list of all loaded modules. If any of the following modules are found this is a finding: info_module & status_module.

Check Text ( C-33808r3_chk )

Open a command prompt window.

Navigate to the “bin” directory (in many cases this may be [Drive Letter]:\[directory path]\Apache Software Foundation\Apache2.2\bin>).

Enter the following command: httpd –M
NOTE: Some installations may be running under apache.exe. In such case, validate by running the following command: apache -M

This will provide a list of all loaded modules. If any of the following modules are found this is a finding: info_module & status_module.

Fix Text (F-29457r2_fix)
Disable info and status modules by adding a "#" in front of them within the httpd.conf file, and restarting the Apache service.