Put and delete - HTTP method
Alex Beamish
talexb-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed May 7 14:37:43 UTC 2014
I believe PUT and DELETE are typically used for REST interfaces. If your
web server doesn't implement those two commands, I don't think you have
anything to worry about.
Alex
On Wed, May 7, 2014 at 10:08 AM, William Muriithi <
william.muriithi-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Morning,
>
> I am curious to hear what opinion or experience this group has on
> disabling HTTP put and delete method.
>
> Essentially, last week, I scanned around to see if there is weakness on
> the systems I support that's exposed to the public. I am looking through
> the results and it feel like put and delete shouldn't be enabled. The lines
> below appear across all the systems results
>
> + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow
> clients to save files on the web server.
> + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to
> remove files on the web server.
>
> To be sincere I don't see a problem with put and delete from a bit of
> Googling I have done. Seem you can do the same damage through post that you
> can execute using put and delete yet, we don't disable the former.
>
> What is your opinion or experience with the two HTTP methods? Would
> appreciate some enlightenment/criticism here.
>
> Thanks in advance.
>
> William
>
--
Alex Beamish
Toronto, Ontario
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20140507/02b0f151/attachment.html>
More information about the Legacy
mailing list