Article 32MW9 Apache bug leaks contents of server memory for all to see—Patch now

Apache bug leaks contents of server memory for all to see—Patch now

by
Dan Goodin
from Ars Technica - All content on (#32MW9)
optionsbleed.png

(credit: Hanno Bick)

There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.

The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.

The best-known vulnerability to leak potentially serious server memory was the Heartbleed bug located in the widely used OpenSSL cryptography library. Within hours of Heartbleed's disclosure in April 2014, attackers were exploiting it to obtain passwords belonging to users of Yahoo, Ars, and other sites. Heartbleed could also be exploited to bleed websites' private encryption keys and to hack networks with multifactor authentication.

Read 3 remaining paragraphs | Comments

index?i=s0KPldTDd28:H5b2xk5rr-8:V_sGLiPB index?i=s0KPldTDd28:H5b2xk5rr-8:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments