An information disclosure has been discovered in Apache HTTP Server. By sending HTTP requests using the "OPTIONS" method, the server can respond with an "Allow" header containing arbitrary chunks of memory.
This memory leak can only happeded when the Apache Server use a set of authorizations through the <Limit> directive in .htaccess files with an "AllowOverride Limit" in the httpd.conf.
Details of the vulnerability
Apache httpd allows remote attackers to read arbitrary data from process memory if the <Limit> directive can be set in an user's .htaccess file (user as per shared hosting environments), and if httpd.conf has relaxed (mis)configurations, aka Optionsbleed.
This affects the Apache HTTP Server through 2.2.x through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read arbitrary data.
This is a use-after-recycle/free issue and thus secret data may be disclosed (though binary data would be blocked in latests 2.2.x and 2.4.x versions); the specific data depends on many factors including configuration, and unlikely to be controllable by a remote client. Exploitation in .htaccess files can be blocked with a patch to the ap_limit_section function in server/core.c, or by removing the token "Limit" (not present by default) from the "AllowOverride" directive in the main configuration file (httpd.conf, not writable by users).