[eduVPN-deploy] [SECURITY] Debian+sslh mod_status exposure
François Kooman
fkooman at tuxed.net
Tue Mar 3 17:45:39 CET 2020
Hi all,
When the following two things are both true at the same time:
1. You run on Debian 9
2. You enabled "port sharing" for TCP/443 [1]
Then, unfortunately, the "/server-status" page is exposed to the whole
world! :'(
I've updated the documentation and deploy script to make sure this does
not happen in future deploys [2].
To fix it manually:
$ sudo a2dismod status
$ sudo systemctl restart apache2
**NOTE**: the two eduVPN participants listed in the official apps that
exposed the status page were made aware of this some hours ago.
Regards,
François
[1] https://github.com/eduvpn/documentation/blob/v2/PORT_SHARING.md
[2]
https://github.com/eduvpn/documentation/commit/6aaf44dcedbb100848ecb04a05a4d65d79f66c4e
More information about the eduVPN-deploy
mailing list