httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kumar Bijayant <bijayant....@gmail.com>
Subject [users@httpd] HTTP methods vulnerabilities
Date Fri, 17 Aug 2012 22:46:21 GMT
Hi List,

Some days back I came across a very weired problem, and I am not able
to figure out. The security scanners scanned one of our public facing
website and they said that webserver is vulnerable to HTTP methods or
may be webdav is enabled. I looked around the code and couln't find
anything. Below is my findings and approach

1. Webdav module is not enabled at all on the webserver.

2.
<Directory DOCROOT>

<Limit GET POST OPTIONS>
              Order allow,deny
              Allow from all
          </Limit>
          <LimitExcept GET POST OPTIONS>
              Order deny,allow
              Deny from all
          </LimitExcept>
      AllowOverride None
      Order allow,deny
      Allow from all
   </Directory>

3. DELETE and PUT is disabled  by rewrite rules

RewriteCond %{REQUEST_METHOD} ^DELETE
RewriteRule .* - [F,L]
RewriteCond %{REQUEST_METHOD} ^PUT
RewriteRule .* - [F,L]

4. Did telnet test as well

bash-3.2$ telnet x.x.x.x 8090
Trying x.x.x.x....
Connected to x.x.x.x..
Escape character is '^]'.
OPTIONS / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 30 Jul 2012 18:50:02 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close

There are tomcat applaition as well behind this Apache instance. I
looked in to there as well, but coulnt find any thing related to
webdav in web.xml.

Am I missing something to rule out the possibility that Apache is not
vulnerable to any of the HTTP methods? Or ther is anything still which
is throwing that stuff. Because we have to get rid of that
vulnerabilities any how. Where else I should check?

Any comments or direction would be very helpful .

Thanks & Regards,
Bijayant Kumar

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message