[WEB SECURITY] about http method

Leandro Meiners lmeiners at cybsec.com
Wed Jun 8 08:23:14 EDT 2005


1. One server has webdav and proxying enabled an the other does not.
2. According to http://httpd.apache.org/docs/mod/core.html#limit  "The
TRACE method cannot be limited", you have to use mod rewrite to limit
trace, like so:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
There is no relation between trace and options.
3. PUT and DELETE is used for web authoring (generally) instead of using
ftp and such. As you say cgi's use post to send information to the
server.

regards,

leandro.


On Wed, 2005-06-08 at 04:26 +0000, Monty Ree wrote:

> Hello, all.
> 
> Some documents say "Please limit httpd method at httpd.conf to improve 
> security."
> 
> So I have some questions about HTTP method.
> 
> 
> 1. first question 
> 
> When I using CONNECT method, the apache result was different.
> (config is alike, version is 1.3.26 alike)
> 
> Some apache : 
> Allow: GET, HEAD, OPTIONS, TRACE
> 
> but some apache like below.
> Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, 
> PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE
> 
> Why the result is not same?
> 
> 
> 2. and additional quesiton.
> 
> I allowed GET,POST,OPTIONS like below, but apache says that TRACE method is 
> allowed too.
> What's the relations between OPTIONS and TRACE?
> 
> <LimitExcept GET POST OPTIONS>
>    Order allow,deny
>    deny from all
> </LimitExcept>
> 
> 3. Some documents say that one can upload the file using PUT method and 
> delete using DELETE method. But most cgi or php programs using POST method 
> to upload or delete the file. When the PUT or DELETE method is required?
>  
> 
> 
> Thanks in advance.
> 
> _________________________________________________________________
> 확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드   
> http://www.msn.co.kr/fortune/default.asp  
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 

----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners at cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050608/6017422d/attachment.html>


More information about the websecurity mailing list