Netscaler Vulnerability

Netscaler Vulnerability

Apache server-status enabled

The remote web server discloses sensitive information about its status, when the URL ‘/server-status’ is requested. The server returns information such as current hosts and requests being processed, the number of idle servers, and CPU utilization. This information may be used by an attacker to craft further attacks.

Description

Apache /server-status displays information about your Apache status. If you are not using this feature, disable it.

Impact

Possible sensitive information disclosure.

Recommendation

Disable this functionality if not required. Comment out the <Location /server-status> section from httpd.conf.

Reference :- http://www.acunetix.com/vulnerabilities/apache-server-status-enab/

*** The following article must be followed to insure the customizations in NetScalers is retained after appliance has been rebooted : – http://support.citrix.com/article/CTX122271

Solution

Edit /etc/httpd.conf

And comment out the highlighted 5 lines</pre>
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your-domain.com" to match your domain to enable.
#
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from all
#</Location>
<pre>
</pre>
copy httpd.conf to /var

create /flash/nsconfig/nsbefore.sh

#!/bin/bash
killall -9 httpd
cp /var/httpd.conf /etc/httpd.conf
/bin/httpd -f /etc/httpd.conf

save ns config


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s