httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sage Weaver <s...@gypsycaravan.com>
Subject [users@httpd] Can DELETE or PUT be used maliciously?
Date Wed, 19 Nov 2003 23:32:40 GMT
I'm not well-versed with the HTTP specification, and either there's not 
a lot of very explicit, clear information out there, or my Google search 
skills are not up to snuff... so please bear with me if this seems like 
a stupid question.

In the Apache 2.0 configuration file that comes with Red Hat 9, the 
following is commented out:

# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
#    AllowOverride FileInfo AuthConfig Limit
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#    <Limit GET POST OPTIONS>
#        Order allow,deny
#        Allow from all
#    </Limit>
#    <LimitExcept GET POST OPTIONS>
#        Order deny,allow
#        Deny from all
#    </LimitExcept>
#</Directory>

This led me to look up the <Limit> directive, which tells me that there 
are also methods like PUT and DELETE, which, from what I could ascertain 
from various Google searches, are indeed designed to save a file (like 
uploading a new document -- supposedly this is how FrontPage saves files 
to the server) and delete a file, respectively (The documentation for 
<Limit> also mentions "MOVE," "COPY," and other dangerous-sounding 
request methods).

I have been unable to find any more information regarding the use of the 
PUT and DELETE, and what it takes to invoke such commands on a server. 
I am currently not using the <Limit> directive at all -- the only 
reference to that directive in the conf file is in the above section, 
which is commented out.  Does this mean that anyone could feasibly send 
DELETE or PUT to maliciously attack my site?  Or does it take more than 
that to cause damage, and I'm just being paranoid?  Or have I 
misinterpreted the function of those request methods entirely?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message