httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From syona m <syon...@yahoo.com>
Subject Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
Date Thu, 15 Dec 2005 13:43:50 GMT
Hi All,
   
  I have come to know that by default DELETE and PUT methods are disable in apache webserver.
Is there any way I can test for the same?
   
  Following the tips mentioned in the following sites  http://software.newsforge.com/article.pl?sid=04/09/17/1527247&tid=78&tid=48

"To test the PUT method, use a tool like curl to attempt a file upload:
curl -T test.asp http://www.mywebsite.com/
 Next, try to access the file. If you can, then the PUT method is enabled.
To test the DELETE method, connect to the server using telnet and issue the following command:
DELETE / HTTP/1.0\n \n
 where is the file you want to delete (ie: index.html). If the file gets removed, the DELETE
method is enabled"

Using the curl tool it was seen that PUT methods is not Impactingour software
D:\curl\curl-7.15.0>curl -T README http://xxx:8080/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
The requested method PUT is not allowed for the URL /README.<P>
<HR>
<ADDRESS>Apache/1.3.29 Server at indmft6 Port 8080</ADDRESS>
</BODY></HTML>

For using the same tool for DELETE method we were not able to login to the server
   
   
  trying directly to test the method DELETE
  DELETE <file>  HTTP/1.0\n \n 
  # DELETE 
DELETE: not found 
# 
   
  I got this  whether this a valid testing result  or is command:  not found  is a message
coming from the Solaris operating system
   
  Please let me know is there any other way I could verify for sure this method not being
used by the apache installed in my machine
   
  Thanks for the help
  Regards
  Priya
   
  


"William A. Rowe, Jr." <wrowe@rowe-clan.net> wrote:
  Nick Kew wrote:
> On Tuesday 29 November 2005 12:17, Joost de Heer wrote:
> 
>>1.3.34 was released several weeks ago (at least the Unix version, did
>>William Rowe upload the win32 1.3.34 binary yet?)
> 
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
> 
> I can't find the reference just now, but he later suggested this lack of 
> interest means we can finally declare 1.3-on-windows dead.

Yes, at which point Randy our Guru of Win32/modperl reminded me that many
folks do use this, and he personally vouched for the installer.

So, yes, these have been up for the past week.

Bill

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

  


			
---------------------------------
Yahoo! Shopping
 Find Great Deals on Holiday Gifts at Yahoo! Shopping 
Mime
View raw message