Information
The Apache 'mod_status' module provides current server performance statistics.
Rationale:
When 'mod_status' is loaded into the server, its handler capability is available in all configuration files, including per-directory files (e.g., '.htaccess'). The 'mod_status' module may provide an adversary with information that can be used to refine exploits that depend on measuring server load.
Solution
Perform either one of the following to disable the 'mod_status' module:
1. For source builds with static modules, run the Apache './configure' script with the '--disable-status configure' script options.
$ cd $DOWNLOAD_HTTPD
$ ./configure --disable-status
2. For dynamically loaded modules, comment out or remove the 'LoadModule' directive for the 'mod_status' module from the 'httpd.conf' file.
##LoadModule status_module modules/mod_status.so