Sensitive Information Can Be Revealed From Tor Hidden Services On Apache

Patrick O'Neill writes: A common configuration mistake in Apache, the most popular Web server software in the world, can allow anyone to look behind the curtains on a hidden server to see everything from total traffic to active HTTP requests. When an hidden service reveals the HTTP requests, it's revealing every file—a Web page, picture, movie, .zip, anything at all—that's fetched by the server. Tor's developers were aware of the issue as early as last year but decided against sending out an advisory. The problem is common enough that even Tor's own developers have made the exact same mistake. Until October 2015, the machine that welcomed new users to the Tor network and checked if they were running up-to-date software allowed anyone to look at total traffic and watch all the requests.

If you take 3 different steps to conf it public

[raymorris]

First, the server admin would have to enable mod_status.
Then, by default it's visible only from the server itself - the physical console or an ssh connection.
Than to see the request urls, you have to turn ExtendedStatus on as well.

It's easy to miss one of these steps when you're TRYING to turn it on. If you're offering a hidden service, it seeme rather unlikely you'd work so hard to gather and publish extended status.

Re:If you take 3 different steps to conf it public

[dissy]

First, the server admin would have to enable mod_status.
Then, by default it's visible only from the server itself - the physical console or an ssh connection.
Than to see the request urls, you have to turn ExtendedStatus on as well.

It's easy to miss one of these steps when you're TRYING to turn it on. If you're offering a hidden service, it seeme rather unlikely you'd work so hard to gather and publish extended status.

I just spun up a brand new Debian 8.2 VM instance, apt-get upgraded it to current, and apt-get installed apache2 - everything current as of 10ish minutes ago.

root@dev10:~# ls -l /etc/apache2/mods-enabled/status*
lrwxrwxrwx 1 root root 29 Jan 30 21:58 /etc/apache2/mods-enabled/status.conf -> ../mods-available/status.conf
lrwxrwxrwx 1 root root 29 Jan 30 21:58 /etc/apache2/mods-enabled/status.load -> ../mods-available/status.load

root@dev10:~# grep -i extended /etc/apache2/mods-enabled/status.conf
                # Keep track of extended status information for each request
                ExtendedStatus On

root@dev10:~# grep -i location -A 2 /etc/apache2/mods-enabled/status.conf
                <Location /server-status>
                                SetHandler server-status
                                Require local

Both mod_status and the extended status mode are enabled by default.

Yes they are restricted to localhost only, however if one ran apache and a tor proxy on the same machine, the tor proxy would be connecting to apache over localhost and so would be allowed.

Being a debian config I would assume many debian based systems may very well have this same default config.

Looking at the first example screenshot in the article, it explicitly shows it to be apache 2.2.16 running on a debian system. That means the server came setup that way and the owner didn't disable it.

I can't speak for other distros or what the defaults are when apache is compiled from original sources and what not.
But I would certainly recommend at least looking through your 'mods-enabled' dir Just In Case (tm)

Summaries for Nerds

[bill_mcgonigle]

disable or restrict access to mod_status if you run a tor hidden service on Apache because mod_status is often enabled by default and serves to localhost; tor connects from localhost. mod_status shows some details of current requests which could leak info on other users.