httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: [users@httpd] HTTP methods vulnerabilities
Date Fri, 17 Aug 2012 23:08:21 GMT
Although I don't know for sure, I'm guessing it's because
TRACE is enabled. Some brain-dead security audits consider
allowing TRACE to be a "security issue" (although it's
not)...

Check out http://httpd.apache.org/docs/2.4/mod/core.html#traceenable
and give your security scanners a whack with a clue-stick.

On Aug 17, 2012, at 6:46 PM, Kumar Bijayant <bijayant.mws@gmail.com> wrote:

> Hi List,
> 
> Some days back I came across a very weired problem, and I am not able
> to figure out. The security scanners scanned one of our public facing
> website and they said that webserver is vulnerable to HTTP methods or
> may be webdav is enabled. I looked around the code and couln't find
> anything. Below is my findings and approach
> 
> 1. Webdav module is not enabled at all on the webserver.
> 
> 2.
> <Directory DOCROOT>
> 
> <Limit GET POST OPTIONS>
>              Order allow,deny
>              Allow from all
>          </Limit>
>          <LimitExcept GET POST OPTIONS>
>              Order deny,allow
>              Deny from all
>          </LimitExcept>
>      AllowOverride None
>      Order allow,deny
>      Allow from all
>   </Directory>
> 
> 3. DELETE and PUT is disabled  by rewrite rules
> 
> RewriteCond %{REQUEST_METHOD} ^DELETE
> RewriteRule .* - [F,L]
> RewriteCond %{REQUEST_METHOD} ^PUT
> RewriteRule .* - [F,L]
> 
> 4. Did telnet test as well
> 
> bash-3.2$ telnet x.x.x.x 8090
> Trying x.x.x.x....
> Connected to x.x.x.x..
> Escape character is '^]'.
> OPTIONS / HTTP/1.0
> 
> HTTP/1.1 200 OK
> Date: Mon, 30 Jul 2012 18:50:02 GMT
> Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l
> Allow: GET,HEAD,POST,OPTIONS,TRACE
> Content-Length: 0
> Connection: close
> 
> There are tomcat applaition as well behind this Apache instance. I
> looked in to there as well, but coulnt find any thing related to
> webdav in web.xml.
> 
> Am I missing something to rule out the possibility that Apache is not
> vulnerable to any of the HTTP methods? Or ther is anything still which
> is throwing that stuff. Because we have to get rid of that
> vulnerabilities any how. Where else I should check?
> 
> Any comments or direction would be very helpful .
> 
> Thanks & Regards,
> Bijayant Kumar
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message