You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sage Weaver <sa...@gypsycaravan.com> on 2003/11/20 00:32:40 UTC

[users@httpd] Can DELETE or PUT be used maliciously?

I'm not well-versed with the HTTP specification, and either there's not 
a lot of very explicit, clear information out there, or my Google search 
skills are not up to snuff... so please bear with me if this seems like 
a stupid question.

In the Apache 2.0 configuration file that comes with Red Hat 9, the 
following is commented out:

# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
#    AllowOverride FileInfo AuthConfig Limit
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#    <Limit GET POST OPTIONS>
#        Order allow,deny
#        Allow from all
#    </Limit>
#    <LimitExcept GET POST OPTIONS>
#        Order deny,allow
#        Deny from all
#    </LimitExcept>
#</Directory>

This led me to look up the <Limit> directive, which tells me that there 
are also methods like PUT and DELETE, which, from what I could ascertain 
from various Google searches, are indeed designed to save a file (like 
uploading a new document -- supposedly this is how FrontPage saves files 
to the server) and delete a file, respectively (The documentation for 
<Limit> also mentions "MOVE," "COPY," and other dangerous-sounding 
request methods).

I have been unable to find any more information regarding the use of the 
PUT and DELETE, and what it takes to invoke such commands on a server. 
I am currently not using the <Limit> directive at all -- the only 
reference to that directive in the conf file is in the above section, 
which is commented out.  Does this mean that anyone could feasibly send 
DELETE or PUT to maliciously attack my site?  Or does it take more than 
that to cause damage, and I'm just being paranoid?  Or have I 
misinterpreted the function of those request methods entirely?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Can DELETE or PUT be used maliciously?

Posted by Aaron Morris <aa...@mindspring.com>.

Sage Weaver wrote:

> I'm not well-versed with the HTTP specification, and either there's not 
> a lot of very explicit, clear information out there, or my Google search 
> skills are not up to snuff... so please bear with me if this seems like 
> a stupid question.
> 
> In the Apache 2.0 configuration file that comes with Red Hat 9, the 
> following is commented out:
> 
> # Control access to UserDir directories.  The following is an example
> # for a site where these directories are restricted to read-only.
> #
> #<Directory /home/*/public_html>
> #    AllowOverride FileInfo AuthConfig Limit
> #    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> #    <Limit GET POST OPTIONS>
> #        Order allow,deny
> #        Allow from all
> #    </Limit>
> #    <LimitExcept GET POST OPTIONS>
> #        Order deny,allow
> #        Deny from all
> #    </LimitExcept>
> #</Directory>
> 
> This led me to look up the <Limit> directive, which tells me that there 
> are also methods like PUT and DELETE, which, from what I could ascertain 
> from various Google searches, are indeed designed to save a file (like 
> uploading a new document -- supposedly this is how FrontPage saves files 
> to the server) and delete a file, respectively (The documentation for 
> <Limit> also mentions "MOVE," "COPY," and other dangerous-sounding 
> request methods).
> 
> I have been unable to find any more information regarding the use of the 
> PUT and DELETE, and what it takes to invoke such commands on a server. I 
> am currently not using the <Limit> directive at all -- the only 
> reference to that directive in the conf file is in the above section, 
> which is commented out.  Does this mean that anyone could feasibly send 
> DELETE or PUT to maliciously attack my site?  Or does it take more than 
> that to cause damage, and I'm just being paranoid?  Or have I 
> misinterpreted the function of those request methods entirely?
> 

They could be used as an "attack".  Although if they just used them, it 
would not be an attack, they would just be using the method.  If you do 
not have proper security [read: authentication] or permissions set on 
your files and directories (ie files should not be writable by the user 
the httpd process is running as, except in the case of mod_dav), then 
they could be used maliciously.

AFAIK, DELETE is only available if you have mod_dav loaded (and it 
includes lots of other methods like MOVE and COPY).  If you unload all 
of the unnecessary modules from your server, you will have less to 
secure and worry about, as well having a smaller memory footprint.

Which brings us back to the damned TRACE method.  I have decided to 
"disable" it on all of my Apache servers.  Why?  Because I am going to 
waste more time defending the position of not disabling it than I would 
time it would take to just disable it.  And to be frank, I kind of agree 
with their position.  If we are paying you to do what we want, and it is 
not going to break anything, then why are we not doing it?  How can you 
fight that without looking like a complete ass?

-- 
Aaron W Morris <aa...@mindspring.com> (decep)




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Can DELETE or PUT be used maliciously?

Posted by Saqib Ali <sa...@seagate.com>.
If you have WebDAV ( http://www.webdav.org ) enabled on your server, then
these methods can be used improperly.

If you do have WebDAV enabled, make sure proper
authorization/authentication is required on directories where these
methods are enabled.

for more info check out
http://www.xml-dev.com:8080/cocoon/mount/docbook/Apache-WebDAV-LDAP-HOWTO.html#N4003B0

Saqib Ali
-------------
http://validate.sf.net <---- HTML/XHTML/DocBook Validator

On Wed, 19 Nov 2003, Sage Weaver wrote:

> I'm not well-versed with the HTTP specification, and either there's not
> a lot of very explicit, clear information out there, or my Google search
> skills are not up to snuff... so please bear with me if this seems like
> a stupid question.
>
> In the Apache 2.0 configuration file that comes with Red Hat 9, the
> following is commented out:
>
> # Control access to UserDir directories.  The following is an example
> # for a site where these directories are restricted to read-only.
> #
> #<Directory /home/*/public_html>
> #    AllowOverride FileInfo AuthConfig Limit
> #    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> #    <Limit GET POST OPTIONS>
> #        Order allow,deny
> #        Allow from all
> #    </Limit>
> #    <LimitExcept GET POST OPTIONS>
> #        Order deny,allow
> #        Deny from all
> #    </LimitExcept>
> #</Directory>
>
> This led me to look up the <Limit> directive, which tells me that there
> are also methods like PUT and DELETE, which, from what I could ascertain
> from various Google searches, are indeed designed to save a file (like
> uploading a new document -- supposedly this is how FrontPage saves files
> to the server) and delete a file, respectively (The documentation for
> <Limit> also mentions "MOVE," "COPY," and other dangerous-sounding
> request methods).
>
> I have been unable to find any more information regarding the use of the
> PUT and DELETE, and what it takes to invoke such commands on a server.
> I am currently not using the <Limit> directive at all -- the only
> reference to that directive in the conf file is in the above section,
> which is commented out.  Does this mean that anyone could feasibly send
> DELETE or PUT to maliciously attack my site?  Or does it take more than
> that to cause damage, and I'm just being paranoid?  Or have I
> misinterpreted the function of those request methods entirely?
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org