Apache server-status enabled
The remote web server discloses sensitive information about its status, when the URL ‘/server-status’ is requested. The server returns information such as current hosts and requests being processed, the number of idle servers, and CPU utilization. This information may be used by an attacker to craft further attacks.
Apache /server-status displays information about your Apache status. If you are not using this feature, disable it.
Possible sensitive information disclosure.
Disable this functionality if not required. Comment out the <Location /server-status> section from httpd.conf.
*** The following article must be followed to insure the customizations in NetScalers is retained after appliance has been rebooted : – http://support.citrix.com/article/CTX122271
Edit /etc/httpd.conf And comment out the highlighted 5 lines</pre> # Allow server status reports, with the URL of http://servername/server-status # Change the ".your-domain.com" to match your domain to enable. # #<Location /server-status> # SetHandler server-status # Order deny,allow # Deny from all # Allow from all #</Location> <pre>
</pre> copy httpd.conf to /var create /flash/nsconfig/nsbefore.sh #!/bin/bash killall -9 httpd cp /var/httpd.conf /etc/httpd.conf /bin/httpd -f /etc/httpd.conf save ns config