No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download
hannob Merge pull request #4 from netcode/master
fix encoding issue by define what type of encoding used
Latest commit dee909f Sep 20, 2017
Permalink
Failed to load latest commit information.
LICENSE Initial commit Sep 18, 2017
README.md fix typo Sep 18, 2017
optionsbleed fix encoding issue by define what type of encoding used Sep 20, 2017

README.md

optionsbleed

This is a proof of concept code to test for the Optionsbleed bug in Apache httpd (CVE-2017-9798).

usage

optionsbleed [-h] [-n N] [-a] [-u] hosttocheck

Check for the Optionsbleed vulnerability (CVE-2017-9798).

positional arguments:
  hosttocheck  The hostname you want to test against

optional arguments:
  -h, --help   show this help message and exit
  -n N         number of tests (default 10)
  -a, --all    show headers from hosts without problems
  -u, --url    pass URL instead of hostname

Tests server for Optionsbleed bug and other bugs in the allow header.

Automatically checks http://, https://, http://www. and https://www. -
except if you pass -u/--url (which means by default we check 40 times.)

output explanation

The script outputs the returned Allow header and prefixes it with an explanation what is wrong with it.

[bleed]

A corrupted header was sent, very likely the Optionsbleed bug.

[empty]

An empty header was sent, which is bogus.

[spaces]

The list of methods was space-separated instead of comma-separated.

This is a bug, but harmless. It may be Launchpad bug #1717682.

[duplicates]

Some methods were sent multiple times in the list.

This is a bug, but harmless. It may be Apache bug #61207.

[ok]

Nothing wrong with this header (only sent with -a/--all).