Netscaler Vulnerability

Netscaler Vulnerability

Apache server-status enabled

The remote web server discloses sensitive information about its status, when the URL ‘/server-status’ is requested. The server returns information such as current hosts and requests being processed, the number of idle servers, and CPU utilization. This information may be used by an attacker to craft further attacks.


Apache /server-status displays information about your Apache status. If you are not using this feature, disable it.


Possible sensitive information disclosure.


Disable this functionality if not required. Comment out the <Location /server-status> section from httpd.conf.

Reference :-

*** The following article must be followed to insure the customizations in NetScalers is retained after appliance has been rebooted : –


Edit /etc/httpd.conf

And comment out the highlighted 5 lines</pre>
# Allow server status reports, with the URL of http://servername/server-status
# Change the "" to match your domain to enable.
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from all
copy httpd.conf to /var

create /flash/nsconfig/

killall -9 httpd
cp /var/httpd.conf /etc/httpd.conf
/bin/httpd -f /etc/httpd.conf

save ns config


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s