You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Takacs Istvan <is...@hungax.com> on 2002/01/12 15:17:11 UTC
Strange PUT method behavior?
Hi,
Red Hat 7.2, Apache 1.3.22
One of our server has that kind of directory structure
what enables for apache user to upload files.
How can I disable to upload files other than the
usage of a browser?
If I telnet to port 80, and use HTTP commands,
then I get this messages:
[root@server]# telnet www.developer.com 80
Trying 192.168.100.54...
Connected to www.developer.com.
Escape character is '^]'.
PUT /path/to/writable/directory /etc/sysconfig/sendmail HTTP/1.1
Host: www.developer.com
HTTP/1.1 301 Moved Permanently
Date: Fri, 11 Jan 2002 18:52:51 GMT
Server: Apache/1.3.22
Location: http://www.developer.com/path/to/writable/directory/
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>301 Moved Permanently</TITLE>
</HEAD><BODY>
<H1>Moved Permanently</H1>
The document has moved <A
HREF="http://www.developer.com/path/to/writable/directory/">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.22 Server at www.developer.com Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.
I couldn't find the sendmail file in the given directory, but it's not a
good
Apache message for me.
Can I protect somehow our server from the illegal file uploads?
Thanks in advance!
Regards,
Istvan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: Strange PUT method behavior?
Posted by Joshua Slive <jo...@slive.ca>.
> From: Takacs Istvan [mailto:istvan.takacs@hungax.com]
>> When I tried to upload a file to the server by PUT method
> (just to test whether someone could write his illegal
> sadomaso.jpg into one of our clients directory), then I
> got back that unpleasant message from the server.
>
> So, I'm a bit frightened that anyone could upload their
> materials to the server if they know the path to a
> writable directory without so much as to identify
> themself at the first login page.
>
> So, my question is that whether am I right, or is there
> any workaround to disable this counterproductive feature?
The "unpleasant message" was simply a redirect. That happens whenever you
request a directory without the trailing slash. It is nothing to worry
about. Try it again with the trailing slash (as in PUT
/path/to/writable/directory/ HTTP/1.0) and you should get an error message.
As far as the rest of your security, I have no idea how you are doing it, so
I can't comment.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: Strange PUT method behavior?
Posted by Takacs Istvan <is...@hungax.com>.
Hi,
First of all, thanks for your help, and
sorry for my poor English!
So, we develop a commercial site, and it has
a feature to give the users the ability to upload
their files into a separated directory structure under
htdocs. They use their browsers for this.
The users writes their files in the context of the apache
user, so the directories have rwx permissions for the
apache user and the owner of the files is the apache user,
as well.
I tried do delete on of these files via a telnet connection
and Apache's sent back a correct error message:
"The requested method DELETE is not allowed
for the URL /path/to/file"
Am I to understand that no one can deletes or overwrites
these files although he knows the correct path?
When I tried to upload a file to the server by PUT method
(just to test whether someone could write his illegal
sadomaso.jpg into one of our clients directory), then I
got back that unpleasant message from the server.
So, I'm a bit frightened that anyone could upload their
materials to the server if they know the path to a
writable directory without so much as to identify
themself at the first login page.
So, my question is that whether am I right, or is there
any workaround to disable this counterproductive feature?
Thanks in advance!
Regards,
Istvan
> > Red Hat 7.2, Apache 1.3.22
> >
> > One of our server has that kind of directory structure
> > what enables for apache user to upload files.
> > How can I disable to upload files other than the
> > usage of a browser?
> > If I telnet to port 80, and use HTTP commands,
> > then I get this messages:
> >
> > [root@server]# telnet www.developer.com 80
> > Trying 192.168.100.54...
> > Connected to www.developer.com.
> > Escape character is '^]'.
> > PUT /path/to/writable/directory /etc/sysconfig/sendmail HTTP/1.1
> > Host: www.developer.com
> >
> > HTTP/1.1 301 Moved Permanently
>
> Well, technically, that is not at all a properly formed PUT
> request. I'm
> not sure why apache doesn't just reject it as malformed. But
> in any case, I
> don't see any security problem here. Apache is issuing a
> redirect because
> you are accessing a directory without the required trailing
> slash. It isn't
> actually accepting the PUT.
>
> It's possible I've completely missed the point of your
> question. If so,
> please rephrase and try to be a little clearer about what you
> are trying to
> do, what you think Apache should do, and what it is actually doing.
>
> Joshua.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: Strange PUT method behavior?
Posted by Joshua Slive <jo...@slive.ca>.
> From: Takacs Istvan [mailto:istvan.takacs@hungax.com]
> Red Hat 7.2, Apache 1.3.22
>
> One of our server has that kind of directory structure
> what enables for apache user to upload files.
> How can I disable to upload files other than the
> usage of a browser?
> If I telnet to port 80, and use HTTP commands,
> then I get this messages:
>
> [root@server]# telnet www.developer.com 80
> Trying 192.168.100.54...
> Connected to www.developer.com.
> Escape character is '^]'.
> PUT /path/to/writable/directory /etc/sysconfig/sendmail HTTP/1.1
> Host: www.developer.com
>
> HTTP/1.1 301 Moved Permanently
Well, technically, that is not at all a properly formed PUT request. I'm
not sure why apache doesn't just reject it as malformed. But in any case, I
don't see any security problem here. Apache is issuing a redirect because
you are accessing a directory without the required trailing slash. It isn't
actually accepting the PUT.
It's possible I've completely missed the point of your question. If so,
please rephrase and try to be a little clearer about what you are trying to
do, what you think Apache should do, and what it is actually doing.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org