Search Engine: Elastic

Article ID: 131493, created on Sep 21, 2017, last review on Sep 21, 2017

  • Applies to:
  • Operations Automation
  • Business Automation

Information

Specially created .htaccess file allows remote attacker to read process memory by sending OPTIONS requests.

This may cause leak of sensitive data that belong to another user.

https://nvd.nist.gov/vuln/detail/CVE-2017-9798

Resolution

CloudLinux has released fixes for CloudLinux 7 and CloudLinux 6.

Issue may be prevented by disabling overriding Limit option in Apache configuration using AllowOverride option.

For example, in typical Linux Shared Hosting NG environment, check main configuration file:

[root@ng ~]# grep AllowOverride /etc/httpd/conf/httpd.conf
        AllowOverride AuthConfig Limit Indexes Options FileInfo

Exclude Limit option from the directive:

[root@ng ~]# grep AllowOverride /etc/httpd/conf/httpd.conf
        AllowOverride AuthConfig Indexes Options FileInfo

For additional information on how to tune the directive refer to the corresponding part of Apache documentation:

https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride

198398b282069eaf2d94a6af87dcb3ff caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 5356b422f65bdad1c3e9edca5d74a1ae

Email subscription for changes to this article
Save as PDF