httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Volker <>
Subject server-status-handler information leak
Date Fri, 11 Jun 2010 12:39:02 GMT
Hash: SHA1


while playing around with handlers, i noticed, that any user can
register the 'server-status'-handler by putting

SetHandler server-status

in an htacces-File. This can not be prevented by using a alternating
AllowOverride-directives, since 'SetHandler' is part of 'FileInfo' which
also holds ErrorDocuments, mod_rewrite, etc.

Since the server-status-handler offers information one might not want
others to have access to (for example a massive shared hosting
environment), i created a small patch that enables a custom handlername
for the server-status-module. Just thought someone else might have use
for it.

What this patch does:
- - reserves memory for directive with parameter (AP_INIT_TAKE1)
- - adds a function for creating config-records (create_modstatus_config)
- - adds a function to set the handlername (set_serverstatus_handler_name)

If the handlername is not set using the directive, it defaults to the
old 'server-status' and continues to work with the old setting.

How to test:

1. build and install the module with apxs2
2. create a new directive like the following in the root-configuration
of the server

ServerStatusHandlerName statusteststring

3. set a handler somewhere like the following:

SetHandler statusteststring

attached files:
mod_status.c - the complete module
mod_status-diff.patch - the patch with all changes made

Any comments, suggestions, improvements and/or critical comments are

best regards

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


View raw message