httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eugene <list-apa...@fsck.net>
Subject Re: [users@httpd] Disabling HTTP methods
Date Tue, 26 Oct 2004 18:36:14 GMT
On Tue, Oct 26, 2004 at 08:26:21PM +0200, Gare wrote:
: 
: Scanning vulnerabilities in a server I've found:
: 
: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH,
MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE 
: 
: How can be disabled a particular method, like DELETE or TRACE?
: 
: I've talking about a server running APACHE 1.31 on Linux

If you look in the default httpd.conf that ships with Apache, you'll
find a block that shows you how to restrict certain HTTP methods.

# <Directory /home/*/public_html>
#     AllowOverride FileInfo AuthConfig Limit Indexes
#     Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#     <Limit GET POST OPTIONS PROPFIND>
#         Order allow,deny
#         Allow from all
#     </Limit>
#     <LimitExcept GET POST OPTIONS PROPFIND>
#         Order deny,allow
#         Deny from all
#     </LimitExcept>
# </Directory>


-- 
Eugene

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message