PUBLIC SERVICE ANNOUNCEMENT —

Default settings in Apache may decloak Tor hidden services

World's most widely used Web server often displays geographic locations of Tor sites.

Websites that rely on the Tor anonymity service to cloak their server address may be leaking their geographic location and other sensitive information thanks to a setting that's turned on by default in many releases of Apache, the world's most widely used Web server.

The information leak has long been known to careful administrators who take the time to read Tor documentation, but that hasn't prevented some Tor hidden services from falling victim to it. To plug the hole, darkweb sites that run Apache must disable the mod_status module that by default sets up a server status page displaying a variety of potentially sensitive information about the servers. Details include the number of requests per second sent to the server, the most recent HTTP requests received, CPU usage, and in some cases the approximate longitude of the server.

It would appear some hidden services still haven't figured out that many Apache installations display the data by default. In a blog post published over the weekend, an anonymous poster wrote:

I've discovered several such exposures over the last six months, reporting them wherever a contact was provided. And it's not just static pages or small personal sites that are vulnerable. Even sites where user privacy is absolutely imperative show negligence in this regard. Toward the end of 2015, I found a popular .onion search engine that had failed to disable the status module. As you might imagine, the result was not pretty.

I reported the flaw, and it was fixed within a few hours. A fine response, but it shouldn't have been necessary in the first place. It's a little ridiculous that such a basic server misconfiguration could be so dangerous. Forget 0days, traffic analysis, and crypto attacks; it's simple mistakes like this that bite the hardest.

Finding vulnerable servers is as easy as appending /server-status to the base onion address of the hidden service. Turning off the default setting isn't complicated, either. It involves disabling the mod_status module using the a2dismod status command.

Channel Ars Technica