Mailing List Archive: Apache: Users

HTTP methods vulnerabilities

Index | Next | Previous | View Threaded

bijayant.mws at gmail

Aug 17, 2012, 3:46 PM

Post #1 of 2 (187 views)
Permalink

HTTP methods vulnerabilities

Hi List,

Some days back I came across a very weired problem, and I am not able
to figure out. The security scanners scanned one of our public facing
website and they said that webserver is vulnerable to HTTP methods or
may be webdav is enabled. I looked around the code and couln't find
anything. Below is my findings and approach

1. Webdav module is not enabled at all on the webserver.

2.
<Directory DOCROOT>

<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
AllowOverride None
Order allow,deny
Allow from all
</Directory>

3. DELETE and PUT is disabled by rewrite rules

RewriteCond %{REQUEST_METHOD} ^DELETE
RewriteRule .* - [F,L]
RewriteCond %{REQUEST_METHOD} ^PUT
RewriteRule .* - [F,L]

4. Did telnet test as well

bash-3.2$ telnet x.x.x.x 8090
Trying x.x.x.x....
Connected to x.x.x.x..
Escape character is '^]'.
OPTIONS / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 30 Jul 2012 18:50:02 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close

There are tomcat applaition as well behind this Apache instance. I
looked in to there as well, but coulnt find any thing related to
webdav in web.xml.

Am I missing something to rule out the possibility that Apache is not
vulnerable to any of the HTTP methods? Or ther is anything still which
is throwing that stuff. Because we have to get rid of that
vulnerabilities any how. Where else I should check?

Any comments or direction would be very helpful .

Thanks & Regards,
Bijayant Kumar

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

jim at jaguNET

Aug 17, 2012, 4:08 PM

Post #2 of 2 (187 views)
Permalink

Re: HTTP methods vulnerabilities [In reply to]

Although I don't know for sure, I'm guessing it's because
TRACE is enabled. Some brain-dead security audits consider
allowing TRACE to be a "security issue" (although it's
not)...

Check out http://httpd.apache.org/docs/2.4/mod/core.html#traceenable
and give your security scanners a whack with a clue-stick.

On Aug 17, 2012, at 6:46 PM, Kumar Bijayant <bijayant.mws [at] gmail> wrote:

> Hi List,
>
> Some days back I came across a very weired problem, and I am not able
> to figure out. The security scanners scanned one of our public facing
> website and they said that webserver is vulnerable to HTTP methods or
> may be webdav is enabled. I looked around the code and couln't find
> anything. Below is my findings and approach
>
> 1. Webdav module is not enabled at all on the webserver.
>
> 2.
> <Directory DOCROOT>
>
> <Limit GET POST OPTIONS>
> Order allow,deny
> Allow from all
> </Limit>
> <LimitExcept GET POST OPTIONS>
> Order deny,allow
> Deny from all
> </LimitExcept>
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> 3. DELETE and PUT is disabled by rewrite rules
>
> RewriteCond %{REQUEST_METHOD} ^DELETE
> RewriteRule .* - [F,L]
> RewriteCond %{REQUEST_METHOD} ^PUT
> RewriteRule .* - [F,L]
>
> 4. Did telnet test as well
>
> bash-3.2$ telnet x.x.x.x 8090
> Trying x.x.x.x....
> Connected to x.x.x.x..
> Escape character is '^]'.
> OPTIONS / HTTP/1.0
>
> HTTP/1.1 200 OK
> Date: Mon, 30 Jul 2012 18:50:02 GMT
> Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l
> Allow: GET,HEAD,POST,OPTIONS,TRACE
> Content-Length: 0
> Connection: close
>
> There are tomcat applaition as well behind this Apache instance. I
> looked in to there as well, but coulnt find any thing related to
> webdav in web.xml.
>
> Am I missing something to rule out the possibility that Apache is not
> vulnerable to any of the HTTP methods? Or ther is anything still which
> is throwing that stuff. Because we have to get rid of that
> vulnerabilities any how. Where else I should check?
>
> Any comments or direction would be very helpful .
>
> Thanks & Regards,
> Bijayant Kumar
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads