Secure Apache status page
Having the Apache status page accessible by any user is a security risk.
The status page shows for each current connection:
- The remote IP address
- The vhost being accessed
- The exact path and query string being accessed
Alarmingly this could be used to steal passwords and even session keys from the query strings of other customer's websites. Sure, this information shouldn't be passed via the query string but in fact it often is. Additionally the status page can be used to determine who is visiting another customer's website and how often, even calculating analytics.
I can't see why it would ever be acceptable for http://127.0.0.1/whm-server-status to be accessible given the above. I submitted a support ticket about this but was asked to open a Feature Request here.
As far as myself and the support rep know, the page is actually only used to display the Apache Status page within WHM (it's not used to gather statistics for cPanel or anything like that). It should therefore be safe to remove or password protect (something which I'll be testing immediately and applying to our servers if suitable). However I do think this should be default. cPanel can password protect the status page and use this password when pulling the contents to display within WHM.