httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Saqib Ali <sa...@seagate.com>
Subject Re: [users@httpd] Can DELETE or PUT be used maliciously?
Date Wed, 19 Nov 2003 23:47:40 GMT
If you have WebDAV ( http://www.webdav.org ) enabled on your server, then
these methods can be used improperly.

If you do have WebDAV enabled, make sure proper
authorization/authentication is required on directories where these
methods are enabled.

for more info check out
http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.html#N4003B0

Saqib Ali
-------------
http://validate.sf.net <---- HTML/XHTML/DocBook Validator

On Wed, 19 Nov 2003, Sage Weaver wrote:

> I'm not well-versed with the HTTP specification, and either there's not
> a lot of very explicit, clear information out there, or my Google search
> skills are not up to snuff... so please bear with me if this seems like
> a stupid question.
>
> In the Apache 2.0 configuration file that comes with Red Hat 9, the
> following is commented out:
>
> # Control access to UserDir directories.  The following is an example
> # for a site where these directories are restricted to read-only.
> #
> #<Directory /home/*/public_html>
> #    AllowOverride FileInfo AuthConfig Limit
> #    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> #    <Limit GET POST OPTIONS>
> #        Order allow,deny
> #        Allow from all
> #    </Limit>
> #    <LimitExcept GET POST OPTIONS>
> #        Order deny,allow
> #        Deny from all
> #    </LimitExcept>
> #</Directory>
>
> This led me to look up the <Limit> directive, which tells me that there
> are also methods like PUT and DELETE, which, from what I could ascertain
> from various Google searches, are indeed designed to save a file (like
> uploading a new document -- supposedly this is how FrontPage saves files
> to the server) and delete a file, respectively (The documentation for
> <Limit> also mentions "MOVE," "COPY," and other dangerous-sounding
> request methods).
>
> I have been unable to find any more information regarding the use of the
> PUT and DELETE, and what it takes to invoke such commands on a server.
> I am currently not using the <Limit> directive at all -- the only
> reference to that directive in the conf file is in the above section,
> which is commented out.  Does this mean that anyone could feasibly send
> DELETE or PUT to maliciously attack my site?  Or does it take more than
> that to cause damage, and I'm just being paranoid?  Or have I
> misinterpreted the function of those request methods entirely?
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message