Nmap Development mailing list archives
RE: NMAP -> http-methods.nse result
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Thu, 7 Oct 2010 09:55:34 +0100
Hi Zack, Output 2 suggests to me that both methods are supported, but something is stopping you from deleting "/" (probably file permissions - this could be caused by people uploading content via SFTP under one username and running Apache under another account so it can't modify the files). The PUT method requires a Content-Length header to specify the length (in bytes) of the body so the server knows when the input stream has ended. This actually looks like a bug in the script to me, as the http library should automatically add Content-Length headers to requests, so I'm assuming the script doesn't pass any data for the body. If the file permissions allow it, it may be possible to PUT a file to the server (you might find you can't delete existing files, but you may have permission to add new files rather than trying to overwrite whatever's at "/"). Output 2 reminds me of the issue where TRACE (and TRACK) was supported by an Apache server, but it used mod_rewrite and had been configured to return a "403 Forbidden" error instead (this is how many people configured their Apache servers before the TraceEnable directive in Apache 1.3.34 and 2.0.55). In that scenario the core server does technically support the method, but the server has then been configured to prevent the core functionality from working. This sort of thing can trick other basic tools that don't perform comprehensive testing and trusts the output of things like the OPTIONS method (modern web servers, for example, can let you configure specific HTTP methods per file extension, which can really confuse matters). Nessus, for example, attempts to perform a TRACE request for a random filename to verify that TRACE is really enabled. If Output 2 had said "403 Forbidden" to both methods it could have been down to something like mod_rewrite, but I suspect the "411 Length Required" means that nothing would stop you from performing a PUT request (although file permissions might prevent it from being successful), which is another reason why it suggests to me that both methods are enabled. Whether they can actually be used to add or remove content is a different question, and can only be concluded if you see "200 OK". Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Zack Dela Sent: 07 October 2010 06:37 To: nmap-dev () insecure org Subject: NMAP -> http-methods.nse result Good day I would like to ask this following output below using the script http-methods, im confused if the site is really using PUT and DELETE Which of the following output wherein we can conclude that a certain site has indeed use PUT and DELETE methods? In my opinion, Output 1 is not while Output 2 is somehow using those methods with restriction (PUT and DELETE). Or this 2 output simply says that the site is not using methods PUT and DELETE? Im checking this to our site since this PUT and DELETE methods are dangerous. Output 1: PUT / -> HTTP/1.1 405 Method Not Allowed DELETE / -> HTTP/1.1 405 Method Not Allowed Output 2: DELETE / -> HTTP/1.1 403 Forbidden PUT / -> HTTP/1.1 411 Length Required Please help clarify Thank you. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- NMAP -> http-methods.nse result Zack Dela (Oct 07)
- RE: NMAP -> http-methods.nse result Rob Nicholls (Oct 07)
- Re: NMAP -> http-methods.nse result Zack Dela (Oct 07)
- RE: NMAP -> http-methods.nse result Rob Nicholls (Oct 07)