Although I don't know for sure, I'm guessing it's because TRACE is enabled. Some brain-dead security audits consider allowing TRACE to be a "security issue" (although it's not)...
Check out http://httpd.apache.org/docs/2.4/mod/core.html#traceenable and give your security scanners a whack with a clue-stick. On Aug 17, 2012, at 6:46 PM, Kumar Bijayant <bijayant....@gmail.com> wrote: > Hi List, > > Some days back I came across a very weired problem, and I am not able > to figure out. The security scanners scanned one of our public facing > website and they said that webserver is vulnerable to HTTP methods or > may be webdav is enabled. I looked around the code and couln't find > anything. Below is my findings and approach > > 1. Webdav module is not enabled at all on the webserver. > > 2. > <Directory DOCROOT> > > <Limit GET POST OPTIONS> > Order allow,deny > Allow from all > </Limit> > <LimitExcept GET POST OPTIONS> > Order deny,allow > Deny from all > </LimitExcept> > AllowOverride None > Order allow,deny > Allow from all > </Directory> > > 3. DELETE and PUT is disabled by rewrite rules > > RewriteCond %{REQUEST_METHOD} ^DELETE > RewriteRule .* - [F,L] > RewriteCond %{REQUEST_METHOD} ^PUT > RewriteRule .* - [F,L] > > 4. Did telnet test as well > > bash-3.2$ telnet x.x.x.x 8090 > Trying x.x.x.x.... > Connected to x.x.x.x.. > Escape character is '^]'. > OPTIONS / HTTP/1.0 > > HTTP/1.1 200 OK > Date: Mon, 30 Jul 2012 18:50:02 GMT > Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l > Allow: GET,HEAD,POST,OPTIONS,TRACE > Content-Length: 0 > Connection: close > > There are tomcat applaition as well behind this Apache instance. I > looked in to there as well, but coulnt find any thing related to > webdav in web.xml. > > Am I missing something to rule out the possibility that Apache is not > vulnerable to any of the HTTP methods? Or ther is anything still which > is throwing that stuff. Because we have to get rid of that > vulnerabilities any how. Where else I should check? > > Any comments or direction would be very helpful . > > Thanks & Regards, > Bijayant Kumar > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
