I have just received an Acunetix report from the network security section for my Apache server on 64-bit Windows 10, with Moodle 4.0 installed. Such issue is only observed in the Windows version of Apache but not the Ubuntu one. The report also states that this is a 0day issue but I wonder is there a way to get it resolved manually, as it is no longer possible for me to migrate the entire LMS to another OS/host.
Note: The server was updated to Apache Lounge httpd-2.4.54-win64-VS16 prior to the scan. Is it possible that I have misconfigured anything?
The report states the following:
Apache HTTP Server Source Code Disclosure
Due to a flaw in Apache HTTP Server, an attacker can read the source code of web application by sending a specially crafted request. An attacker can gather sensitive information (database connection strings, application logic) by analyzing the source code. This information can be used to conduct further attacks.
Request
GET /index.php HTTP/1.1
Content-Length: acx
Cookie: MoodleSession=(id)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/100.0.4896.127 Safari/537.36
Host: (domain)
Connection: Keep-alive
Reference
