httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spork Schivago <sporkschiv...@gmail.com>
Subject Re: [users@httpd] Block access to "OPTIONS *"
Date Fri, 12 Feb 2016 01:38:29 GMT
Sorry to put in here, but is there away for me to test to see if my server
is affected by this OPTIONS issue?  I have cPanel / WHM and ConfigServer
Firewall installed and just about every day, I see CSF blocking users from
trying to hack in using some known hacking kit.   Something with the word
w00t in it and blackhat.   I'd just like to make sure I got all exploitable
services closed.   Thanks!

On Thu, Feb 11, 2016 at 6:50 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:

> Hello,
>
> On Thu, Feb 11, 2016 at 10:56 PM, Toomas Aas <toomas.aas@reach-u.com>
> wrote:
> >
> > Approach 1:
> > -------------------------------------
> > RewriteCond %{REQUEST_METHOD} OPTIONS
> > RewriteRule .* - [R=405,L]
> > -------------------------------------
>
> You also need to set:
>   RewriteOptions AllowAnyURI
> for this to work.
>
> But since this option could open some dangerous doors (see [1]), I
> also suggest to use something like:
>   RewriteRule ^[^/] - [R=403,L]
> just after "Approach 1" above, so to deny any URI not starting with '/'.
>
> Regards,
> Yann.
>
> [1] http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriteoptions
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message