Misconfigured Apache sites expose user passwords, other private data

More than 2,000 websites—some operated by Fortune 500 companies, game sites, and retail outlets—are exposing system status information that can be used by attackers to compromise Web servers or customer accounts, a recent research project found.

Sites such as staples.com, cisco.com, and axtel.mx run the popular Apache webserver application with a feature known as server-status enabled, according to Daniel Cid, CTO of Web security firm Sucuri. He scanned more than 10 million websites and found 2,072 that left the status page wide open.