Here’s a story about OPTIONS: I was playing around with HTTP features, and read about it. So I thought “What happens if I send OPTIONS requests to the Alexa Top 1M? Anything interesting in the output?”
I ended up seeing something very odd. Some servers were responding with what appeared to be random memory fragments. Some of them contained what looked like Apache configuration directives. So it pretty much looked like an apache security vulnerability, but I could not reproduce it on my own servers, and attempts to contact affected server operators remained unanswered.
After some back and forth with Apache’s security team, they figured out the bug. It only showed up in a very specific situation: There’s a config directive to restrict HTTP methods called Limit, and if you configured that to a nonexisting HTTP method, this bug showed up.
Here’s a story about OPTIONS: I was playing around with HTTP features, and read about it. So I thought “What happens if I send OPTIONS requests to the Alexa Top 1M? Anything interesting in the output?”
I ended up seeing something very odd. Some servers were responding with what appeared to be random memory fragments. Some of them contained what looked like Apache configuration directives. So it pretty much looked like an apache security vulnerability, but I could not reproduce it on my own servers, and attempts to contact affected server operators remained unanswered.
After some back and forth with Apache’s security team, they figured out the bug. It only showed up in a very specific situation: There’s a config directive to restrict HTTP methods called Limit, and if you configured that to a nonexisting HTTP method, this bug showed up.
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
Aftermath of that story: It turned out that the bug was already discovered several years earlier and mentioned in a research paper, but they hadn’t followed up or figured out what the cause was. https://blog.fuzzing-project.org/61-How-Optionsbleed-wasnt-found-in-2014.html
Wow that’s a really wild bug!
[Comment removed by author]