Details
The Apache ‘mod_info’ module provides information on the server configuration via access to a ‘/server-info’ URL location.
Rationale:
Although having server configuration information available as a web page may be convenient, it’s recommended that this module be disabled. Once the module is loaded into the server, its handler capability is available in per-directory ‘.htaccess’ files. This can leak sensitive information, such as system paths, usernames/passwords, and database names, from the configuration directives of other Apache modules.
Solution
Perform either one of the following to disable the ‘mod_info’ module:
1. For source builds with static modules, run the Apache ‘./configure’ script without including ‘mod_info’ in the ‘–enable-modules= configure’ script options.
$ cd $DOWNLOAD/httpd-2.2.22
$ ./configure
2. For dynamically loaded modules, comment out or remove the ‘LoadModule’ directive for the ‘mod_info’ module from the ‘httpd.conf’ file.
##LoadModule info_module modules/mod_info.so
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.