Results 1 to 8 of 8
-
11-16-2005, 03:45 PM #1Junior Guru Wannabe
- Join Date
- Jan 2005
- Posts
- 60
how to disable http methods (eg PUT DELETE etc)
How do I delete http methods which I don't need - don't even know how to use them!
After consulting apache docs, I tried entering this to the top directory in httpd.conf
<Directory />
Options All
AllowOverride All
<Limit POST PUT DELETE CONNECT PROPFIND PROPPATCH>
# Require valid-user
Deny from all
</Limit>
</Directory>
(I actually want Deny from all, but in the the apache docs, it says "require valid-user", but neither work.
I'm testing which methods are accepted using Nikto, which reports:
Code:+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE + HTTP method 'PUT' method may allow clients to save files on the web server. + HTTP method 'CONNECT' may allow server to proxy client requests. + HTTP method 'DELETE' may allow clients to remove files on the web server. + HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists. OSVDB-13431. + HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed. + HTTP method 'TRACE' is typically only used for debugging. It should be disabled. OSVDB-877. + /test - Redirects to http://www.saurin.com/test/ , Apache Tomcat default file found. All default files should be removed. + TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE) + TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
On the same track, TRACE is reported to be ignored by apache, therefore after reading the implement to disable TRACE in the white paper, I used:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* – [F]
</IfModule>
but nikto still says it's available.
of course, the conf file is reloaded after editing.
Any help would be appreciated!
Andy
-
11-16-2005, 07:12 PM #2Web Hosting Master
- Join Date
- Mar 2003
- Location
- Saint Paul, MN
- Posts
- 832
I believe you're forgetting the "order" instruction.
What we use in a number of spots is:
<Limit POST HEAD>
order deny,allow
deny from all
</Limit>
Works for us.redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS
-
11-17-2005, 09:46 AM #3Junior Guru Wannabe
- Join Date
- Jan 2005
- Posts
- 60
I just don't get it - it's as if <Limit> is not working at all -
<Directory />
<Limit GET POST HEAD OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST HEAD OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
it just does nothing -
-
11-17-2005, 11:18 AM #4Web Hosting Master
- Join Date
- Mar 2003
- Location
- Saint Paul, MN
- Posts
- 832
My guess would be that somewhere along the way your Apache configuration is overriding what you're putting for <Directory />. Do you have a separate stanza for /var/www , or /home, or /usr/local/www, or wherever else your websites are served from under? Have you tried putting the directives in a .htaccess file, and seeing if it works there? Or in your VirtualHost stanza?
You can also try rewrite rules, viz:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteRule .*$ - [F,L]redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS
-
11-17-2005, 01:27 PM #5Junior Guru Wannabe
- Join Date
- Jan 2005
- Posts
- 60
ok this is weird -
I decided to go the .htaccess route, since this was the easiest to bypass any other directive in httpd.conf
.htaccess at the server root level
Code:<Limit GET POST HEAD OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST HEAD OPTIONS> Order deny,allow Deny from all </LimitExcept>
Code:telnet server.com 80 Trying xx.xx.xx.xx... Connected to server.com. Escape character is '^]'. OPTIONS / HTTP/1.1 Host: server.com HTTP/1.1 200 OK Date: Thu, 17 Nov 2005 17:11:57 GMT Server: Apache Web Server Content-Length: 0 Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE Connection closed by foreign host.
Code:<Limit GET POST HEAD OPTIONS> Order deny,allow Deny from all </Limit> <LimitExcept GET POST HEAD OPTIONS> Order deny,allow Deny from all </LimitExcept>
Code:telnet server.com 80 Trying xx.xx.xx.xx... Connected to server.com. Escape character is '^]'. OPTIONS / HTTP/1.1 Host: server.com HTTP/1.1 403 Forbidden Date: Thu, 17 Nov 2005 17:11:27 GMT Server: Apache Web Server Transfer-Encoding: chunked Content-Type: application/x-httpd-php 3bb <HTML> <HEAD> <TITLE>403 Forbidden</TITLE>
-
11-17-2005, 01:36 PM #6Junior Guru Wannabe
- Join Date
- Jan 2005
- Posts
- 60
doesn't do anything either if I put it in the virtual server config
Apache/1.3.33 (Unix)
WHM 10.8.0 cPanel 10.8.1-S31
FreeBSD 5.3-RELEASE i386 - WHM X v3.1.0
-
11-17-2005, 03:11 PM #7Web Hosting Master
- Join Date
- Mar 2003
- Location
- Saint Paul, MN
- Posts
- 832
I dunno; you might have to specifically deny every HTTP request you want to block. It's not as if there are a huge number of them, after all. Or, you can just not worry about it; I really don't think it's that big of a deal.
Just as a thought, try getting rid of the explicit <Limit...>allow...</Limit> part, as it's superfluous, really, and see if that works.redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS
-
11-17-2005, 03:21 PM #8Junior Guru Wannabe
- Join Date
- Jan 2005
- Posts
- 60
bah, I've given up - the only deny limits that do anything are GET and HEADER. the rest still show up as available, even if they are explicitly denied!
go figure