httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Takacs Istvan" <istvan.tak...@hungax.com>
Subject RE: Strange PUT method behavior?
Date Sat, 12 Jan 2002 18:25:26 GMT
Hi,

First of all, thanks for your help, and
sorry for my poor English!

So, we develop a commercial site, and it has
a feature to give the users the ability to upload
their files into a separated directory structure under
htdocs. They use their browsers for this.
The users writes their files in the context of the apache 
user, so the directories have rwx permissions for the 
apache user and the owner of the files is the apache user,
as well.

I tried do delete on of these files via a telnet connection
and Apache's sent back a correct error message:
"The requested method DELETE is not allowed 
for the URL /path/to/file"
Am I to understand that no one can deletes or overwrites 
these files although he knows the correct path?

When I tried to upload a file to the server by PUT method
(just to test whether someone could write his illegal
sadomaso.jpg into one of our clients directory), then I
got back that unpleasant message from the server.

So, I'm a bit frightened that anyone could upload their
materials to the server if they know the path to a 
writable directory without so much as to identify 
themself at the first login page.

So, my question is that whether am I right, or is there
any workaround to disable this counterproductive feature?

Thanks in advance!

Regards,

		Istvan

> > Red Hat 7.2, Apache 1.3.22
> >
> > One of our server has that kind of directory structure
> > what enables for apache user to upload files.
> > How can I disable to upload files other than the
> > usage of a browser?
> > If I telnet to port 80, and use HTTP commands,
> > then I get this messages:
> >
> > [root@server]# telnet www.developer.com 80
> > Trying 192.168.100.54...
> > Connected to www.developer.com.
> > Escape character is '^]'.
> > PUT /path/to/writable/directory /etc/sysconfig/sendmail HTTP/1.1
> > Host: www.developer.com
> >
> > HTTP/1.1 301 Moved Permanently
> 
> Well, technically, that is not at all a properly formed PUT 
> request.  I'm
> not sure why apache doesn't just reject it as malformed.  But 
> in any case, I
> don't see any security problem here.  Apache is issuing a 
> redirect because
> you are accessing a directory without the required trailing 
> slash.  It isn't
> actually accepting the PUT.
> 
> It's possible I've completely missed the point of your 
> question.  If so,
> please rephrase and try to be a little clearer about what you 
> are trying to
> do, what you think Apache should do, and what it is actually doing.
> 
> Joshua.
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message