A bug really difficult to reproduce!

Hanno Böck, a freelance journalist, has disclosed a bug in Apache Web Server causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, like the most known (and dangerous) “Heartbleed”.

The vulnerability has been dubbed OptionsBleed (CVE-2017–9798), because the bug is triggered by making HTTP OPTIONS requests, but only with a wrong configuration of .htaccess and when the server is really busy:

The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method.

Example .htaccess:

<Limit abcxyz>
</Limit>

Due to its nature the bug doesn’t appear deterministically. It only seems to appear on busy servers. Sometimes it only appears after multiple requests.

A recent scan by Hanno found that only 466 sites in the Alexa Top 1 Million were vulnerable.

How can I test it?

https://xkcd.com/386/

You can use curl in a loop and send OPTIONS requests:

for i in {1..100}; do curl -sI -X OPTIONS  -i "allow:"; done

Depending on the server configuration it may not answer to OPTIONS requests on some URLs.

Böck has also published a python proof of concept script: