Put and delete - HTTP method
Mauro Souza
thoriumbr-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed May 7 14:17:50 UTC 2014
For me, it looks like PUT and DELETE was something devised to be used,
ended up on the RFC, but not widely implemented.
I never saw it working anywhere, and all my servers reply with "HTTP 405 -
Method not allowed" when I try PUT or DELETE.
If your systems have PUT and/or DELETE enabled, you should disable them. Or
redirect to a honeypot somewhere and have some fun.
If you redirect, you could send us the results later. I love seeing
honeypot logs...
Mauro
http://mauro.limeiratem.com - registered Linux User: 294521
Scripture is both history, and a love letter from God.
2014-05-07 11:08 GMT-03:00 William Muriithi <william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>:
> Morning,
>
> I am curious to hear what opinion or experience this group has on
> disabling HTTP put and delete method.
>
> Essentially, last week, I scanned around to see if there is weakness on
> the systems I support that's exposed to the public. I am looking through
> the results and it feel like put and delete shouldn't be enabled. The lines
> below appear across all the systems results
>
> + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow
> clients to save files on the web server.
> + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to
> remove files on the web server.
>
> To be sincere I don't see a problem with put and delete from a bit of
> Googling I have done. Seem you can do the same damage through post that you
> can execute using put and delete yet, we don't disable the former.
>
> What is your opinion or experience with the two HTTP methods? Would
> appreciate some enlightenment/criticism here.
>
> Thanks in advance.
>
> William
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20140507/25950cae/attachment.html>
More information about the Legacy
mailing list