Information
Specially created .htaccess
file allows remote attacker to read process memory by sending OPTIONS requests.
This may cause leak of sensitive data that belong to another user.
https://nvd.nist.gov/vuln/detail/CVE-2017-9798
Resolution
CloudLinux has released fixes for CloudLinux 7 and CloudLinux 6.
Issue may be prevented by disabling overriding Limit
option in Apache configuration using AllowOverride
option.
For example, in typical Linux Shared Hosting NG environment, check main configuration file:
[root@ng ~]# grep AllowOverride /etc/httpd/conf/httpd.conf
AllowOverride AuthConfig Limit Indexes Options FileInfo
Exclude Limit
option from the directive:
[root@ng ~]# grep AllowOverride /etc/httpd/conf/httpd.conf
AllowOverride AuthConfig Indexes Options FileInfo
For additional information on how to tune the directive refer to the corresponding part of Apache documentation:
https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride