Apache patches 'OptionsBleed' web server info leak bug

Website administrators are urged to patch against the "OptionsBleed" information disclosure vulnerability in the Apache Software Foundation's httpd web server, which can leak server memory.

Researcher Hanno Böck found the vulnerability when looking into the hyper text transfer protocol (HTTP) OPTIONS method, and scanned the top one million servers ranked by traffic analytics company Alexa with it.

The scan revealed that 466 servers sent back odd responses with an Allow header containing what appeared to be corrupted data. 

On further investigation, Böck noted that the data returned looked similar to what happens with the Heartbleed bug in the OpenSSL cryptographic library, which attackers can use to leak server memory to obtain secrets such as digital keys.

With the help of Apache developer Jacob Champion, Böck was able to trace the bug to the httpd Limit configuration directive.

This restricts access for specific HTTP methods to specific users. Vulnerable Apache httpd versions contain a use-after-free bug that is triggered when administrators apply the directive to HTTP methods not registered with the server, in configuration files.

Apache has issued a patch for the vulnerability, and Linux distributions such as Slackware have released updated httpd packages with the fix.

Böck said "OptionsBleed" isn't as serious as Heartbleed as only small amounts of memory are leaked, and the vulnerability doesn't affect a large number of servers.

He warned that it is nevertheless "a pretty bad bug, particularly for shared hosting environments" where users can create .htaccess files to abuse the Limit directive to cause the information leaks.