hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : how to disable http methods (eg PUT DELETE etc)
Reply

Forum Jump

how to disable http methods (eg PUT DELETE etc)

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Junior Guru Wannabe
 
Join Date: Jan 2005
Posts: 60

how to disable http methods (eg PUT DELETE etc)


How do I delete http methods which I don't need - don't even know how to use them!
After consulting apache docs, I tried entering this to the top directory in httpd.conf

<Directory />
Options All
AllowOverride All
<Limit POST PUT DELETE CONNECT PROPFIND PROPPATCH>
# Require valid-user
Deny from all
</Limit>
</Directory>

(I actually want Deny from all, but in the the apache docs, it says "require valid-user", but neither work.

I'm testing which methods are accepted using Nikto, which reports:

Code:
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE 
+ HTTP method 'PUT' method may allow clients to save files on the web server.
+ HTTP method 'CONNECT' may allow server to proxy client requests.
+ HTTP method 'DELETE' may allow clients to remove files on the web server.
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists. OSVDB-13431.
+ HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed.
+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled. OSVDB-877.
+ /test - Redirects to http://www.saurin.com/test/ , Apache Tomcat default file found. All default files should be removed.
+  TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
+ TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details

On the same track, TRACE is reported to be ignored by apache, therefore after reading the implement to disable TRACE in the white paper, I used:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]
</IfModule>

but nikto still says it's available.
of course, the conf file is reloaded after editing.

Any help would be appreciated!
Andy



Sponsored Links
  #2  
Old
Premium Member
 
Join Date: Mar 2003
Location: Saint Paul, MN
Posts: 826
I believe you're forgetting the "order" instruction.

What we use in a number of spots is:

<Limit POST HEAD>
order deny,allow
deny from all
</Limit>

Works for us.

__________________
redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS


  #3  
Old
Junior Guru Wannabe
 
Join Date: Jan 2005
Posts: 60
I just don't get it - it's as if <Limit> is not working at all -

<Directory />
<Limit GET POST HEAD OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST HEAD OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

it just does nothing -

Sponsored Links
  #4  
Old
Premium Member
 
Join Date: Mar 2003
Location: Saint Paul, MN
Posts: 826
My guess would be that somewhere along the way your Apache configuration is overriding what you're putting for <Directory />. Do you have a separate stanza for /var/www , or /home, or /usr/local/www, or wherever else your websites are served from under? Have you tried putting the directives in a .htaccess file, and seeing if it works there? Or in your VirtualHost stanza?

You can also try rewrite rules, viz:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteRule .*$ - [F,L]

__________________
redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS


  #5  
Old
Junior Guru Wannabe
 
Join Date: Jan 2005
Posts: 60
ok this is weird -
I decided to go the .htaccess route, since this was the easiest to bypass any other directive in httpd.conf

.htaccess at the server root level
Code:
<Limit GET POST HEAD OPTIONS>
        Order allow,deny
        Allow from all  
</Limit>     
<LimitExcept GET POST HEAD OPTIONS>
        Order deny,allow
        Deny from all   
</LimitExcept>
then connect to the server:
Code:
telnet server.com 80
Trying xx.xx.xx.xx...
Connected to server.com.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: server.com

HTTP/1.1 200 OK
Date: Thu, 17 Nov 2005 17:11:57 GMT
Server: Apache Web Server
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

Connection closed by foreign host.
and so to make sure .htaccess is working, do a deny from all (for both limits)
Code:
<Limit GET POST HEAD OPTIONS>
        Order deny,allow
        Deny from all  
</Limit>     
<LimitExcept GET POST HEAD OPTIONS>
        Order deny,allow
        Deny from all   
</LimitExcept>
and now I get a forbidden when connecting:
Code:
telnet server.com 80
Trying xx.xx.xx.xx...
Connected to server.com.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: server.com

HTTP/1.1 403 Forbidden
Date: Thu, 17 Nov 2005 17:11:27 GMT
Server: Apache Web Server
Transfer-Encoding: chunked
Content-Type: application/x-httpd-php

3bb
<HTML>
<HEAD>
<TITLE>403 Forbidden</TITLE>
So .htaccess is working (which it should since the config allows all overrides). I just don't get it!

  #6  
Old
Junior Guru Wannabe
 
Join Date: Jan 2005
Posts: 60
doesn't do anything either if I put it in the virtual server config
Apache/1.3.33 (Unix)
WHM 10.8.0 cPanel 10.8.1-S31
FreeBSD 5.3-RELEASE i386 - WHM X v3.1.0

  #7  
Old
Premium Member
 
Join Date: Mar 2003
Location: Saint Paul, MN
Posts: 826
I dunno; you might have to specifically deny every HTTP request you want to block. It's not as if there are a huge number of them, after all. Or, you can just not worry about it; I really don't think it's that big of a deal.

Just as a thought, try getting rid of the explicit <Limit...>allow...</Limit> part, as it's superfluous, really, and see if that works.

__________________
redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS


  #8  
Old
Junior Guru Wannabe
 
Join Date: Jan 2005
Posts: 60
bah, I've given up - the only deny limits that do anything are GET and HEADER. the rest still show up as available, even if they are explicitly denied!
go figure

Reply

Related posts from TheWhir.com
Title Type Date Posted
Braintree Partners with Coinbase for Mobile Bitcoin Payments Web Hosting News 2014-09-09 10:50:56
Cloud Host DigitalOcean Launches Public Beta of New API Web Hosting News 2014-06-24 16:39:44
Google-Backed Security Technology ShapeShifter Changes Website Code to Thwart Attackers Web Hosting News 2014-01-23 13:03:33
WHMCS Security Issue Allows for Information Disclosure Web Hosting News 2013-10-25 09:30:46
Netflix Open Sources Janitor Monkey Tool that Cleans Up Unused AWS Cloud Resources Web Hosting News 2013-01-04 15:32:44


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?