Information

Specially created .htaccess file allows remote attacker to read process memory by sending OPTIONS requests.

This may cause leak of sensitive data that belong to another user.

https://nvd.nist.gov/vuln/detail/CVE-2017-9798

Resolution

CloudLinux has released fixes for CloudLinux 7 and CloudLinux 6.

Issue may be prevented by disabling overriding Limit option in Apache configuration using AllowOverride option.

For example, in typical Linux Shared Hosting NG environment, check main configuration file:

[root@ng ~]# grep AllowOverride /etc/httpd/conf/httpd.conf
        AllowOverride AuthConfig Limit Indexes Options FileInfo

Exclude Limit option from the directive:

[root@ng ~]# grep AllowOverride /etc/httpd/conf/httpd.conf
        AllowOverride AuthConfig Indexes Options FileInfo

For additional information on how to tune the directive refer to the corresponding part of Apache documentation:

https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride

Internal content