On 28 October 2012 18:01, anthony kasza <[email protected]> wrote: > What's the HTTP server software you're running this against?
This is the web server that php.net is running and it works fine against them Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q PHP/5.4.9-dev Robin > -AK > > On Oct 28, 2012 10:38 AM, "Robin Wood" <[email protected]> wrote: >> >> I've just been tidying up my tools and found a script which checks >> which HTTP methods are enabled on a given site. I ran it against my >> site and it said PUT is enabled. I know that it isn't so I manually >> tested it and proved it wasn't enabled. I checked what it was actually >> sending and it was trying to PUT to / so I tried that and got a 200 >> back along with the content of my index page. I tried again with >> another page and got the content of that page. >> >> So for some reason PUT is acting as a GET for pages which exist, I >> checked OPTIONS and that is doing the same both of them only work with >> HTTP 1.1, not 1.0. >> >> I've tried a few sites, apache.org, pauldotcom.com and microsoft.com >> all fail but php.net gives back the content. >> >> nc php.net 80 >> PUT / HTTP/1.1 >> Host: php.net >> >> HTTP/1.1 200 OK >> Date: Sun, 28 Oct 2012 15:30:30 GMT >> . >> . >> . >> >> >> If this common it might be a nice way to bypass IDS that are looking >> for GET or HEAD methods or to bypass restrictions which lock out those >> two methods. >> >> Comments? >> >> Robin >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
