Put and delete - HTTP method
William Muriithi
william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed May 7 14:08:30 UTC 2014
Morning,
I am curious to hear what opinion or experience this group has on disabling
HTTP put and delete method.
Essentially, last week, I scanned around to see if there is weakness on the
systems I support that's exposed to the public. I am looking through the
results and it feel like put and delete shouldn't be enabled. The lines
below appear across all the systems results
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients
to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to
remove files on the web server.
To be sincere I don't see a problem with put and delete from a bit of
Googling I have done. Seem you can do the same damage through post that you
can execute using put and delete yet, we don't disable the former.
What is your opinion or experience with the two HTTP methods? Would
appreciate some enlightenment/criticism here.
Thanks in advance.
William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20140507/861edfeb/attachment.html>
More information about the Legacy
mailing list