A vulnerability has been discovered in Apache Web Server that could allow for information disclosure. This vulnerability has been named Optionsbleed due to the HTTP method request used to exploit it. Apache Web Server is open source server software that is maintained by the Apache Software Foundation. Successful exploitation of this vulnerability could allow for unauthorized viewing of sensitive information.
There are no reports of these vulnerabilities being actively exploited in the wild.
- Apache Web Server version 2.2.34 and prior
- Apache Web Server version 2.4.27 and prior
A vulnerability has been discovered in Apache Web Server that could allow for information disclosure. The Optionsbleed vulnerability exists when a misconfigured .htaccess file causes the OPTIONS response to contain data from memory. If any of the HTTP methods an administrator configures in their settings are not applicable, the Optionsbleed vulnerability is triggered and the data returned comes from the memory of the Apache server software, which can include content from other websites or from the server itself and possibly include sensitive information.
An unauthenticated, remote attacker can purposely trigger the vulnerability by sending an HTTP OPTIONS request to the server, affecting both environments where multiple websites are on the same web server or when a single website is on a web server. This can be triggered:
- on an Apache Web Server hosting multiple websites on the same web server and when the Limit setting of the webserver's .htaccess file contains the same HTTP method as any of the individual web site's .htaccess file being hosted by that server;
- or on any Apache Web Server, regardless of the number of hosted websites, if a non-existent or invalid method is included in the Limit setting of the .htaccess file.
An unauthenticated, remote attacker can also create a website on the web server and purposefully trigger the Optionsbleed bug in their .htaccess file and continuously run OPTIONS requests in order to gather leaked data from a webserver.
Successful exploitation of this vulnerability results in additional information being returned that could possibly contain sensitive information.
- After appropriate testing, immediately apply the patch that is available from Apache source code servers.
- Ensure that your hosting provider is running a non-affected version of Apache Web Server.
- For locally hosted Apache Web Servers, verify the .htaccess file configuration.
- Verify no unauthorized system modifications have occurred on the system before applying the patch.
- Frequently validate type and content of uploaded data.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
MS-ISAC Cyber Alert:
Fuzzing Project Blog: