13Şub
Why would publishing read-only HAProxy statistics page be considered a security vulnerability?
It seems that some HackerOne reports such as https://hackerone.com/reports/1884372 claim that having HAProxy statistics page visible to the world is a security vulnerability.
Since HAProxy default stats enable
configuration is always read-only, why would publishing read-only HAProxy statistics page be considered a security vulnerability?
I understand that if the admin features (stats admin
) is enabled, then any visitor of the statistics page can cause denial-of-service simply by clicking buttons on the page and you obviously shouldn't expose this feature to public.