Default Settings In Apache Servers Can Leak Details about Tor traffic. This has happened the second time in this week. Leaving default setting open after the product has been released can cause serious problems for the product users. Earlier we had MediaTek leaving a debug tool meant for developers open after shipping which could let potential hackers steal sensitive information from Android smartphones running on MediaTek processors.
Latest to join this default party is Tor. It so happens that default setting left unmodified in Apache Web servers can reveal details about Tor traffic handled through that particular server.
As you know, the dark web which hosts .onion websites can be accessed using Tor anonymity browser. There are various methods of doing this, and one of the simplest is to use an Apache Web server along with a Tor daemon to handle the “anonymous” part of the server’s traffic.
Unfortunately, a default setting in Apache Web servers, if left unmodified could leak information on the traffic that’s going on via the server, and the server itself.
This was reported to the Tor Project admin and also covered on Reddit but to no avail. The issue has once again been brought to forefront by Alec Muffet, Facebook software engineer who tweeted the blog post of an unknown computer science student that explained this problem and its ramifications.
The Apache server setting causing this issue is the Server Status module which comes activated by default. The output of this module is available on every server when accessing the URL: http://website.com/server-status/
This page will show data on a server’s settings, uptime, resource usage, total traffic, virtual hosts, and active HTTP requests. Details like these can help someone detect the server’s timezone, relative geographical position, language settings, and even its IP address via improperly configured virtual hosts.
If you run a Tor website on top of an Apache server, you may want to check your server’s config. To quickly disable the module just run the following shell command:
sudo ap2dismod status
“ap2” stands for Apache 2.x, the latest Apache stable branch, “dis” means disable, “mod” is module, and “status” refers to the Server Status module.
If you disabled the Server-Status page, when accessing its URL, you should see a 404 or 403 error message.
Sample server activity log from a real-life Tor website hosted on an Apache server