PaulDotCom mailing list archives
Re: HTTP GETs with a PUT
From: Robin Wood <robin () digininja org>
Date: Mon, 29 Oct 2012 09:48:41 +0000
On 28 October 2012 18:01, anthony kasza <anthony.kasza () gmail com> wrote:
What's the HTTP server software you're running this against?
This is the web server that php.net is running and it works fine against them Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q PHP/5.4.9-dev Robin
-AK On Oct 28, 2012 10:38 AM, "Robin Wood" <robin () digininja org> wrote:I've just been tidying up my tools and found a script which checks which HTTP methods are enabled on a given site. I ran it against my site and it said PUT is enabled. I know that it isn't so I manually tested it and proved it wasn't enabled. I checked what it was actually sending and it was trying to PUT to / so I tried that and got a 200 back along with the content of my index page. I tried again with another page and got the content of that page. So for some reason PUT is acting as a GET for pages which exist, I checked OPTIONS and that is doing the same both of them only work with HTTP 1.1, not 1.0. I've tried a few sites, apache.org, pauldotcom.com and microsoft.com all fail but php.net gives back the content. nc php.net 80 PUT / HTTP/1.1 Host: php.net HTTP/1.1 200 OK Date: Sun, 28 Oct 2012 15:30:30 GMT . . . If this common it might be a nice way to bypass IDS that are looking for GET or HEAD methods or to bypass restrictions which lock out those two methods. Comments? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- HTTP GETs with a PUT Robin Wood (Oct 28)
- Re: HTTP GETs with a PUT allison nixon (Oct 28)
- Re: HTTP GETs with a PUT Jim Halfpenny (Oct 29)
- Re: HTTP GETs with a PUT Robin Wood (Oct 29)
- Re: HTTP GETs with a PUT Ryan Dewhurst (Oct 29)
- Re: HTTP GETs with a PUT anthony kasza (Oct 28)
- Re: HTTP GETs with a PUT Robin Wood (Oct 29)
- Re: HTTP GETs with a PUT allison nixon (Oct 28)