Security researcher Hanno Böck declared on Monday that a program called httpd, probably better known as the Apache Web Server, and officially called the Apache HTTP Server Project, can leak server memory content via a vulnerability called Optionsbleed — tracked as CVE-2017-9798. The vulnerability can allow attackers to access secret data from other customers’ hosts on the same system.
By using ‘options’ you can avoid hammering a web server with requests that are never going to work, thus avoiding frustration at your end of the connection, and saving the server from a wasted effort at the other.
Apache servers can be configured by putting files called .htaccess into the directory tree of content that is stored on the server.
Each .htaccess file sets configuration options for the directory it’s in and all the others below it, unless their settings are overridden by another .htaccess file lower down, and so on.
The vulnerability is similar to other bugs that leak server memory, including Heartbleed, in the way that attackers can query servers and trick Apache in responding with more data than it intended. Heartbleed was exploited by hackers to steal passwords from Yahoo and other sites.
Böck says Optionsbleed is not as severe as Heartbleed because it leaks content processed by the Apache web server process only and not memory content from the underlying machine, including other applications. This means the leaked data is limited to whatever Apache is processing, which is mostly the content of web pages only available to authenticated users.
Fortunately, Apache has patched the vulnerability. According to Yann Ylavic, member of the Apache HTTP Server Project Management Committee, the risk of leaks is limited as affected configurations also see only a few bytes of data leaking. Ylavic told Threatpost that there is no indication yet of any sensitive data having been disclosed.