The vulnerability Optionsbleed in Apache
HTTP Server that can cause certain systems to leak potentially
sensitive data in response to HTTP OPTIONS requests.
The freelance journalist and security researcher Hanno Bck
discovered a vulnerability, dubbed Optionsbleed. in Apache
HTTP Server (httpd) that can cause certain systems to leak
potentially sensitive data in response to HTTP OPTIONS
Bck was analyzing HTTP methods when he noticed that requests
with the OPTIONS method, which is normally used by a client to ask
a server which HTTP methods it supports, were returning apparently
corrupted data via the Allow header instead of the list of
supported HTTP methods (e.g. Allow: GET, POST, OPTIONS, HEAD).
However, some of the responses to the researchers requests looked
Below an example of the response obtained by Bck:
Allow: POST,OPTIONS,,HEAD,:09:44 GMT
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE
Apache leaked server memory due to a use-after-free bug tracked
Respect other flaws bleeding memory contents like
Heartbleed, the Optionsbleed vulnerability is less severe
because in order to be exploited the targeted system needs to be
configured in a certain way, and anyway the response doesnt always
contain other data.
Security firm Sophos published a
detailed analysis of the vulnerability.
The expert tested
the Optionsbleed flaw in the Alexa Top 1 Million websites and
received corrupted Allow headers from only 466 of them.
With the support of the Apache developer Jacob Champion, Bck
verified that the Optionsbleed vulnerability only affects specific
configurations. Bck has released a proof-of-concept (PoC) script for