An unmodified default setting in Apache Web Servers revealed crucial details related to TOR traffic that passed through that server.
It is a well-known fact that the hidden areas (or underworld) of the Internet such as The Dark Web can only be accessed through specialized services like I2p or Tor because these services are restricted and anonymized thoroughly.
However, these services also require a host server to operate and several methods can be utilized for this purpose but the simplest one is to use an Apache Web Server with a Tor daemon to maintain the anonymity feature of the service.
Unfortunately, even with all of its data anonymity pledges, Tor couldn’t be as secure for users only because of a minor flaw in the Apache Web Servers default settings.
Reportedly, a default setting was left unmodified in the Apache Web Servers and this resulted in leaking the information about traffic that the server hosted as well as whatever was stored on the server itself.
However, this isn’t a new issue because .onion sites have been facing the same issue for over a year. In fact, it has already been reported on Reddit and the Tor Project. But, famous security guru and Facebook software engineer Alec Muffet brought the issue to limelight by tweeting about the blog post from an unidentified computer science student. In the post, the student explained about the issue and its ramifications.
Tor hidden service operators: your default Apache install is probably vulnerable https://t.co/kAzl9F4isR
— Alec Muffett (@AlecMuffett) January 30, 2016
The default setting that causes this issue on Apache Web Servers is the Server Status module. It is usually activated by default and its output is available on every server if you access this URL:
The page displays data present on a server’s settings, resource usage, uptime, virtual hosts, active HTTP requests and total traffic. Such critical details can easily help an individual in detecting the timezone, relevant geographic position, IP address and language settings through improperly configured virtual hosts.
It isn’t merely an assumption because Tor website’s traffic was sniffed as per this theory by a student, who discovered an active Server Status page that was used by a Dark Web search engine.
When the student observed the active HTTP requests of the server, he could view whatever others were searching on that service; some queries were adult-rated. The student took a screenshot of one of the searches in which the user searched for: “How to get rid of 2 bodies.”
If you are using Tor disable the module quickly all you need is to run this shell command only:
Here "ap2" refers to Apache 2.x, which is the latest Apache stable branch, "dis" refers to disable, "mod" refers to a module, and "status" means Server Status module.
You will be able to see a 404 or 403 error message while accessing this URL if you have disabled the Server-Status page.