Return-Path: <dev-return-90209-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 12153200D0C
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 20 Sep 2017 18:37:07 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 10B531609E2; Wed, 20 Sep 2017 16:37:07 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 4E8641609D8
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 20 Sep 2017 18:37:06 +0200 (CEST)
Received: (qmail 42375 invoked by uid 500); 20 Sep 2017 16:37:00 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 42365 invoked by uid 99); 20 Sep 2017 16:37:00 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Sep 2017 16:37:00 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id D7AB1D2F55
	for <dev@httpd.apache.org>; Wed, 20 Sep 2017 16:36:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level: 
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=rowe-clan-net.20150623.gappssmtp.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id CsRdvh5LLbe3 for <dev@httpd.apache.org>;
	Wed, 20 Sep 2017 16:36:58 +0000 (UTC)
Received: from mail-io0-f179.google.com (mail-io0-f179.google.com [209.85.223.179])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 507E05F297
	for <dev@httpd.apache.org>; Wed, 20 Sep 2017 16:36:58 +0000 (UTC)
Received: by mail-io0-f179.google.com with SMTP id q11so4796798ioe.10
        for <dev@httpd.apache.org>; Wed, 20 Sep 2017 09:36:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rowe-clan-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:from:date:message-id:subject:to;
        bh=RXgzzY06FvucJDmqeV8Iy1esuC0vRWABHaJ3x+v9S6g=;
        b=WaykUWRExpHk33aNa4VyfZUTrkxcUnDQM+XFrR9/PO2d/BoO9Dk0fGJKOA//18VXYw
         vgGGOYKoLdEmBpNzbQ34jmS2F3cmjqmZ1euRPBj7CWIwILlQf7bunWFtQy9tMQPgP0HE
         a52a6dXnh3FCzf7wfF8sgertd9sS+8/w2FOAsO8vE85tzyg40Zi5g49SzZcApEyApWK4
         OW7FOMtsp9oseKNX1iuN5UB2Afhaq0Av9kq/DZ2Q0wL/uMojq/0BKAHbigN41InGKhwI
         HaQYZVXqs+h3smDuC5KGDLlTJVu9vM0I46PB8Z6a69rpbT+BcMDtQP5f/zX4Vbt+d4s+
         YatQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=RXgzzY06FvucJDmqeV8Iy1esuC0vRWABHaJ3x+v9S6g=;
        b=nsqlnSrO7ymteT3AFp28yVHgIJ1+A6/JVLRirbUT3+B3SFeE1Jj+wpzWt08xe6dakw
         mjnItXKubBRHW+b2S0xth+nSpBwz43IfOpNX9Uc5F1VQuiLPC4vBQ1UhKa5bFNdno8ET
         57cx3/k2zEyIm8ud+oD28xwNRiUk8Z6wg43Ln2EwoFuVnfpiMQZlxLVI89pO2rXtW8TO
         ixbWPwD03Ny7HJSGRPf/EzEVvzfgfVuY35W8cbnge5DEjdtuCUnuysN31fcvTl+DfW55
         I+q+cCNhU+q5UR6eQaAjxZG39kWZ8Z7gVYARSopHytL7AAJTWTVJbR3/hFXFd9ffx4j8
         5VRg==
X-Gm-Message-State: AHPjjUhrVgNsltxtYHCKhb1bWShGiUErubLaC9fKXNhrPbGlnmxaG/sc
	EtaBR9+VzVO16a7i3To2Ur4z2eyoOde/EC6iIEII2/hM
X-Google-Smtp-Source: AOwi7QDCMryMK8EFRNIDNF0jV/X5u394/RqXhTNLc1wSb9poWlhg3ZmXIPt5r4XtrufwREj8PaZEAZmOE5tzRsFhipA=
X-Received: by 10.202.6.2 with SMTP id 2mr6882340oig.60.1505925416687; Wed, 20
 Sep 2017 09:36:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.69.67 with HTTP; Wed, 20 Sep 2017 09:36:56 -0700 (PDT)
From: William A Rowe Jr <wrowe@rowe-clan.net>
Date: Wed, 20 Sep 2017 11:36:56 -0500
Message-ID: <CACsi253RfX7OT5NhZCKRru2JpOKoscux=jzDzJOnbcF31XHmMw@mail.gmail.com>
Subject: Understanding OptionsBleed
To: httpd <dev@httpd.apache.org>
Content-Type: text/plain; charset="UTF-8"
archived-at: Wed, 20 Sep 2017 16:37:07 -0000

So as most people have correctly identified, this defect has existed
for an incredibly long time.

But how it is triggered and avoided would help us to correctly study
unexpected behaviors.

OPTIONS * - won't trigger the defect, .htaccess should not be examined.

OPTIONS / - may trigger the defect, because the path is traversed and
one or more .htaccess files may be processed.

In all versions, <Limit > of the standard methods do not trigger the
defect. Only <Limit > of any unregistered methods in an allowed
.htaccess file will trigger the defect.

In 2.4.23 and prior including all 2.2/2.0, "HEAD" was not registered,
but would not be registered by <Limit because we first tested method
number (which returned the GET method ID.) In 2.4.25 and 2.4.26, HEAD
was registered but the Allow header constructor duplicated GET -> HEAD
and HEAD --> HEAD resulting in four methods listed, fixed already in
2.4.27.

In order to avoid the defect with trusted .htaccess authors;

In 2.2.31 and prior (all 2.0) or 2.4.23 and prior we can use an
otherwise no-op <Limit block in the global httpd.conf for non-standard
methods that are expected to occur in .htaccess - this avoids
registering them at request time.

In 2.2.32+ / 2.4.25+ we can use RegisterHttpMethod in the global
httpd.conf for non-standard methods in .htaccess - this avoids
registering them at request time.

It is not possible to avoid this defect with untrusted/malicious
.htaccess authors without disabling .htaccess files, patching or
upgrading to version 2.4.28.

Provided AllowOverride is None, and AllowOverrideList does not include
"<Limit", the server should be protected, but I haven't played with
this theory; https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist

The httpd server cannot ever address every possible aspect of
malicious .htaccess authoring, and the project has reiterated this
message multiple times, leading to a vulnerability assessment of 'low'
severity in all cases that weren't disputed as not vulnerabilities
whatsoever;

https://www.cvedetails.com/cve/CVE-2011-3607/
https://www.cvedetails.com/cve/CVE-2011-4415/
https://www.cvedetails.com/cve/CVE-2009-1195/
https://www.cvedetails.com/cve/CVE-2004-2343/
https://www.cvedetails.com/cve/CVE-2004-0747/