You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sage Weaver <sa...@gypsycaravan.com> on 2003/11/20 00:32:40 UTC
[users@httpd] Can DELETE or PUT be used maliciously?
I'm not well-versed with the HTTP specification, and either there's not
a lot of very explicit, clear information out there, or my Google search
skills are not up to snuff... so please bear with me if this seems like
a stupid question.
In the Apache 2.0 configuration file that comes with Red Hat 9, the
following is commented out:
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>
This led me to look up the <Limit> directive, which tells me that there
are also methods like PUT and DELETE, which, from what I could ascertain
from various Google searches, are indeed designed to save a file (like
uploading a new document -- supposedly this is how FrontPage saves files
to the server) and delete a file, respectively (The documentation for
<Limit> also mentions "MOVE," "COPY," and other dangerous-sounding
request methods).
I have been unable to find any more information regarding the use of the
PUT and DELETE, and what it takes to invoke such commands on a server.
I am currently not using the <Limit> directive at all -- the only
reference to that directive in the conf file is in the above section,
which is commented out. Does this mean that anyone could feasibly send
DELETE or PUT to maliciously attack my site? Or does it take more than
that to cause damage, and I'm just being paranoid? Or have I
misinterpreted the function of those request methods entirely?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Can DELETE or PUT be used maliciously?
Posted by Aaron Morris <aa...@mindspring.com>.
Sage Weaver wrote:
> I'm not well-versed with the HTTP specification, and either there's not
> a lot of very explicit, clear information out there, or my Google search
> skills are not up to snuff... so please bear with me if this seems like
> a stupid question.
>
> In the Apache 2.0 configuration file that comes with Red Hat 9, the
> following is commented out:
>
> # Control access to UserDir directories. The following is an example
> # for a site where these directories are restricted to read-only.
> #
> #<Directory /home/*/public_html>
> # AllowOverride FileInfo AuthConfig Limit
> # Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> # <Limit GET POST OPTIONS>
> # Order allow,deny
> # Allow from all
> # </Limit>
> # <LimitExcept GET POST OPTIONS>
> # Order deny,allow
> # Deny from all
> # </LimitExcept>
> #</Directory>
>
> This led me to look up the <Limit> directive, which tells me that there
> are also methods like PUT and DELETE, which, from what I could ascertain
> from various Google searches, are indeed designed to save a file (like
> uploading a new document -- supposedly this is how FrontPage saves files
> to the server) and delete a file, respectively (The documentation for
> <Limit> also mentions "MOVE," "COPY," and other dangerous-sounding
> request methods).
>
> I have been unable to find any more information regarding the use of the
> PUT and DELETE, and what it takes to invoke such commands on a server. I
> am currently not using the <Limit> directive at all -- the only
> reference to that directive in the conf file is in the above section,
> which is commented out. Does this mean that anyone could feasibly send
> DELETE or PUT to maliciously attack my site? Or does it take more than
> that to cause damage, and I'm just being paranoid? Or have I
> misinterpreted the function of those request methods entirely?
>
They could be used as an "attack". Although if they just used them, it
would not be an attack, they would just be using the method. If you do
not have proper security [read: authentication] or permissions set on
your files and directories (ie files should not be writable by the user
the httpd process is running as, except in the case of mod_dav), then
they could be used maliciously.
AFAIK, DELETE is only available if you have mod_dav loaded (and it
includes lots of other methods like MOVE and COPY). If you unload all
of the unnecessary modules from your server, you will have less to
secure and worry about, as well having a smaller memory footprint.
Which brings us back to the damned TRACE method. I have decided to
"disable" it on all of my Apache servers. Why? Because I am going to
waste more time defending the position of not disabling it than I would
time it would take to just disable it. And to be frank, I kind of agree
with their position. If we are paying you to do what we want, and it is
not going to break anything, then why are we not doing it? How can you
fight that without looking like a complete ass?
--
Aaron W Morris <aa...@mindspring.com> (decep)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Can DELETE or PUT be used maliciously?
Posted by Saqib Ali <sa...@seagate.com>.
If you have WebDAV ( http://www.webdav.org ) enabled on your server, then
these methods can be used improperly.
If you do have WebDAV enabled, make sure proper
authorization/authentication is required on directories where these
methods are enabled.
for more info check out
http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.html#N4003B0
Saqib Ali
-------------
http://validate.sf.net <---- HTML/XHTML/DocBook Validator
On Wed, 19 Nov 2003, Sage Weaver wrote:
> I'm not well-versed with the HTTP specification, and either there's not
> a lot of very explicit, clear information out there, or my Google search
> skills are not up to snuff... so please bear with me if this seems like
> a stupid question.
>
> In the Apache 2.0 configuration file that comes with Red Hat 9, the
> following is commented out:
>
> # Control access to UserDir directories. The following is an example
> # for a site where these directories are restricted to read-only.
> #
> #<Directory /home/*/public_html>
> # AllowOverride FileInfo AuthConfig Limit
> # Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> # <Limit GET POST OPTIONS>
> # Order allow,deny
> # Allow from all
> # </Limit>
> # <LimitExcept GET POST OPTIONS>
> # Order deny,allow
> # Deny from all
> # </LimitExcept>
> #</Directory>
>
> This led me to look up the <Limit> directive, which tells me that there
> are also methods like PUT and DELETE, which, from what I could ascertain
> from various Google searches, are indeed designed to save a file (like
> uploading a new document -- supposedly this is how FrontPage saves files
> to the server) and delete a file, respectively (The documentation for
> <Limit> also mentions "MOVE," "COPY," and other dangerous-sounding
> request methods).
>
> I have been unable to find any more information regarding the use of the
> PUT and DELETE, and what it takes to invoke such commands on a server.
> I am currently not using the <Limit> directive at all -- the only
> reference to that directive in the conf file is in the above section,
> which is commented out. Does this mean that anyone could feasibly send
> DELETE or PUT to maliciously attack my site? Or does it take more than
> that to cause damage, and I'm just being paranoid? Or have I
> misinterpreted the function of those request methods entirely?
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org