• caglararli@hotmail.com
  • 05386281520

Why would publishing read-only HAProxy statistics page be considered a security vulnerability?

Çağlar Arlı      -    90 Views

Why would publishing read-only HAProxy statistics page be considered a security vulnerability?

It seems that some HackerOne reports such as https://hackerone.com/reports/1884372 claim that having HAProxy statistics page visible to the world is a security vulnerability.

Since HAProxy default stats enable configuration is always read-only, why would publishing read-only HAProxy statistics page be considered a security vulnerability?

I understand that if the admin features (stats admin) is enabled, then any visitor of the statistics page can cause denial-of-service simply by clicking buttons on the page and you obviously shouldn't expose this feature to public.