how to disable http methods (eg PUT DELETE etc)
After consulting apache docs, I tried entering this to the top directory in httpd.conf
<Directory />
Options All
AllowOverride All
<Limit POST PUT DELETE CONNECT PROPFIND PROPPATCH>
# Require valid-user
Deny from all
</Limit>
</Directory>
(I actually want Deny from all, but in the the apache docs, it says "require valid-user", but neither work.
I'm testing which methods are accepted using Nikto, which reports:
Code:
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
+ HTTP method 'PUT' method may allow clients to save files on the web server.
+ HTTP method 'CONNECT' may allow server to proxy client requests.
+ HTTP method 'DELETE' may allow clients to remove files on the web server.
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is allowed but a default page exists. OSVDB-13431.
+ HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed.
+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled. OSVDB-877.
+ /test - Redirects to http://www.saurin.com/test/ , Apache Tomcat default file found. All default files should be removed.
+ TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE)
+ TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
On the same track, TRACE is reported to be ignored by apache, therefore after reading the implement to disable TRACE in the white paper, I used:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]
</IfModule>
but nikto still says it's available.
of course, the conf file is reloaded after editing.
Any help would be appreciated!
Andy
