Results 1 to 8 of 8
  1. #1
    Join Date
    Jan 2005
    Posts
    60

    how to disable http methods (eg PUT DELETE etc)

    How do I delete http methods which I don't need - don't even know how to use them!
    After consulting apache docs, I tried entering this to the top directory in httpd.conf

    <Directory />
    Options All
    AllowOverride All
    <Limit POST PUT DELETE CONNECT PROPFIND PROPPATCH>
    # Require valid-user
    Deny from all
    </Limit>
    </Directory>

    (I actually want Deny from all, but in the the apache docs, it says "require valid-user", but neither work.

    I'm testing which methods are accepted using Nikto, which reports:

    Code:
    + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE 
    + HTTP method 'PUT' method may allow clients to save files on the web server.
    + HTTP method 'CONNECT' may allow server to proxy client requests.
    + HTTP method 'DELETE' may allow clients to remove files on the web server.
    + HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists. OSVDB-13431.
    + HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed.
    + HTTP method 'TRACE' is typically only used for debugging. It should be disabled. OSVDB-877.
    + /test - Redirects to http://www.saurin.com/test/ , Apache Tomcat default file found. All default files should be removed.
    +  TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
    + TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details

    On the same track, TRACE is reported to be ignored by apache, therefore after reading the implement to disable TRACE in the white paper, I used:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* – [F]
    </IfModule>

    but nikto still says it's available.
    of course, the conf file is reloaded after editing.

    Any help would be appreciated!
    Andy

  2. #2
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    832
    I believe you're forgetting the "order" instruction.

    What we use in a number of spots is:

    <Limit POST HEAD>
    order deny,allow
    deny from all
    </Limit>

    Works for us.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  3. #3
    Join Date
    Jan 2005
    Posts
    60
    I just don't get it - it's as if <Limit> is not working at all -

    <Directory />
    <Limit GET POST HEAD OPTIONS>
    Order allow,deny
    Allow from all
    </Limit>
    <LimitExcept GET POST HEAD OPTIONS>
    Order deny,allow
    Deny from all
    </LimitExcept>
    </Directory>

    it just does nothing -

  4. #4
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    832
    My guess would be that somewhere along the way your Apache configuration is overriding what you're putting for <Directory />. Do you have a separate stanza for /var/www , or /home, or /usr/local/www, or wherever else your websites are served from under? Have you tried putting the directives in a .htaccess file, and seeing if it works there? Or in your VirtualHost stanza?

    You can also try rewrite rules, viz:

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteRule .*$ - [F,L]
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  5. #5
    Join Date
    Jan 2005
    Posts
    60
    ok this is weird -
    I decided to go the .htaccess route, since this was the easiest to bypass any other directive in httpd.conf

    .htaccess at the server root level
    Code:
    <Limit GET POST HEAD OPTIONS>
            Order allow,deny
            Allow from all  
    </Limit>     
    <LimitExcept GET POST HEAD OPTIONS>
            Order deny,allow
            Deny from all   
    </LimitExcept>
    then connect to the server:
    Code:
    telnet server.com 80
    Trying xx.xx.xx.xx...
    Connected to server.com.
    Escape character is '^]'.
    OPTIONS / HTTP/1.1
    Host: server.com
    
    HTTP/1.1 200 OK
    Date: Thu, 17 Nov 2005 17:11:57 GMT
    Server: Apache Web Server
    Content-Length: 0
    Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
    
    Connection closed by foreign host.
    and so to make sure .htaccess is working, do a deny from all (for both limits)
    Code:
    <Limit GET POST HEAD OPTIONS>
            Order deny,allow
            Deny from all  
    </Limit>     
    <LimitExcept GET POST HEAD OPTIONS>
            Order deny,allow
            Deny from all   
    </LimitExcept>
    and now I get a forbidden when connecting:
    Code:
    telnet server.com 80
    Trying xx.xx.xx.xx...
    Connected to server.com.
    Escape character is '^]'.
    OPTIONS / HTTP/1.1
    Host: server.com
    
    HTTP/1.1 403 Forbidden
    Date: Thu, 17 Nov 2005 17:11:27 GMT
    Server: Apache Web Server
    Transfer-Encoding: chunked
    Content-Type: application/x-httpd-php
    
    3bb
    <HTML>
    <HEAD>
    <TITLE>403 Forbidden</TITLE>
    So .htaccess is working (which it should since the config allows all overrides). I just don't get it!

  6. #6
    Join Date
    Jan 2005
    Posts
    60
    doesn't do anything either if I put it in the virtual server config
    Apache/1.3.33 (Unix)
    WHM 10.8.0 cPanel 10.8.1-S31
    FreeBSD 5.3-RELEASE i386 - WHM X v3.1.0

  7. #7
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    832
    I dunno; you might have to specifically deny every HTTP request you want to block. It's not as if there are a huge number of them, after all. Or, you can just not worry about it; I really don't think it's that big of a deal.

    Just as a thought, try getting rid of the explicit <Limit...>allow...</Limit> part, as it's superfluous, really, and see if that works.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  8. #8
    Join Date
    Jan 2005
    Posts
    60
    bah, I've given up - the only deny limits that do anything are GET and HEADER. the rest still show up as available, even if they are explicitly denied!
    go figure

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •