Results 1 to 8 of 8
  1. #1
    Join Date
    Jan 2005
    Posts
    60

    how to disable http methods (eg PUT DELETE etc)

    How do I delete http methods which I don't need - don't even know how to use them!
    After consulting apache docs, I tried entering this to the top directory in httpd.conf

    <Directory />
    Options All
    AllowOverride All
    <Limit POST PUT DELETE CONNECT PROPFIND PROPPATCH>
    # Require valid-user
    Deny from all
    </Limit>
    </Directory>

    (I actually want Deny from all, but in the the apache docs, it says "require valid-user", but neither work.

    I'm testing which methods are accepted using Nikto, which reports:

    Code:
    + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE 
    + HTTP method 'PUT' method may allow clients to save files on the web server.
    + HTTP method 'CONNECT' may allow server to proxy client requests.
    + HTTP method 'DELETE' may allow clients to remove files on the web server.
    + HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists. OSVDB-13431.
    + HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed.
    + HTTP method 'TRACE' is typically only used for debugging. It should be disabled. OSVDB-877.
    + /test - Redirects to http://www.saurin.com/test/ , Apache Tomcat default file found. All default files should be removed.
    +  TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
    + TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details

    On the same track, TRACE is reported to be ignored by apache, therefore after reading the implement to disable TRACE in the white paper, I used:

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* [F]
    </IfModule>

    but nikto still says it's available.
    of course, the conf file is reloaded after editing.

    Any help would be appreciated!
    Andy

  2. #2
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    I believe you're forgetting the "order" instruction.

    What we use in a number of spots is:

    <Limit POST HEAD>
    order deny,allow
    deny from all
    </Limit>

    Works for us.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  3. #3
    Join Date
    Jan 2005
    Posts
    60
    I just don't get it - it's as if <Limit> is not working at all -

    <Directory />
    <Limit GET POST HEAD OPTIONS>
    Order allow,deny
    Allow from all
    </Limit>
    <LimitExcept GET POST HEAD OPTIONS>
    Order deny,allow
    Deny from all
    </LimitExcept>
    </Directory>

    it just does nothing -

  4. #4
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    My guess would be that somewhere along the way your Apache configuration is overriding what you're putting for <Directory />. Do you have a separate stanza for /var/www , or /home, or /usr/local/www, or wherever else your websites are served from under? Have you tried putting the directives in a .htaccess file, and seeing if it works there? Or in your VirtualHost stanza?

    You can also try rewrite rules, viz:

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteRule .*$ - [F,L]
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  5. #5
    Join Date
    Jan 2005
    Posts
    60
    ok this is weird -
    I decided to go the .htaccess route, since this was the easiest to bypass any other directive in httpd.conf

    .htaccess at the server root level
    Code:
    <Limit GET POST HEAD OPTIONS>
            Order allow,deny
            Allow from all  
    </Limit>     
    <LimitExcept GET POST HEAD OPTIONS>
            Order deny,allow
            Deny from all   
    </LimitExcept>
    then connect to the server:
    Code:
    telnet server.com 80
    Trying xx.xx.xx.xx...
    Connected to server.com.
    Escape character is '^]'.
    OPTIONS / HTTP/1.1
    Host: server.com
    
    HTTP/1.1 200 OK
    Date: Thu, 17 Nov 2005 17:11:57 GMT
    Server: Apache Web Server
    Content-Length: 0
    Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
    
    Connection closed by foreign host.
    and so to make sure .htaccess is working, do a deny from all (for both limits)
    Code:
    <Limit GET POST HEAD OPTIONS>
            Order deny,allow
            Deny from all  
    </Limit>     
    <LimitExcept GET POST HEAD OPTIONS>
            Order deny,allow
            Deny from all   
    </LimitExcept>
    and now I get a forbidden when connecting:
    Code:
    telnet server.com 80
    Trying xx.xx.xx.xx...
    Connected to server.com.
    Escape character is '^]'.
    OPTIONS / HTTP/1.1
    Host: server.com
    
    HTTP/1.1 403 Forbidden
    Date: Thu, 17 Nov 2005 17:11:27 GMT
    Server: Apache Web Server
    Transfer-Encoding: chunked
    Content-Type: application/x-httpd-php
    
    3bb
    <HTML>
    <HEAD>
    <TITLE>403 Forbidden</TITLE>
    So .htaccess is working (which it should since the config allows all overrides). I just don't get it!

  6. #6
    Join Date
    Jan 2005
    Posts
    60
    doesn't do anything either if I put it in the virtual server config
    Apache/1.3.33 (Unix)
    WHM 10.8.0 cPanel 10.8.1-S31
    FreeBSD 5.3-RELEASE i386 - WHM X v3.1.0

  7. #7
    Join Date
    Mar 2003
    Location
    Saint Paul, MN
    Posts
    826
    I dunno; you might have to specifically deny every HTTP request you want to block. It's not as if there are a huge number of them, after all. Or, you can just not worry about it; I really don't think it's that big of a deal.

    Just as a thought, try getting rid of the explicit <Limit...>allow...</Limit> part, as it's superfluous, really, and see if that works.
    redpin.com - offering amazingly competent email, dns, and web hosting since 2002... because someone has to!
    Because Simple Things Should Be Simple - YouCANHasDNS

  8. #8
    Join Date
    Jan 2005
    Posts
    60
    bah, I've given up - the only deny limits that do anything are GET and HEADER. the rest still show up as available, even if they are explicitly denied!
    go figure

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •