RE: Disable 80/443 Put / Delete Methods

["Yvan Boily" <yboily () seccuris com>]

It is quite simple really, depending which server you are using.  With
Apache you can use the <Limit></Limit> directive

DocumentRoot "/web/htdocs"
<Directory "/">
    AllowOverride None
    Options Indexes 
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

In IIS you can run IISLock which will install URLScan.  Then configure
%WINDIR%\System32\Inetsrv\URLscan\urlscan.ini by removing un-necessary verbs
from the AllowVerbs section of the file and setting the UseAllowVerbs=1 to
enable the default-to-deny mode for urlscan.

Other servers should have comparable mechanisms.

Yvan Boily 

> -----Original Message-----
> From: roger.smith () calyonfinancial com 
> [mailto:roger.smith () calyonfinancial com] 
> Sent: Tuesday, September 28, 2004 9:05 AM
> Cc: security-basics () securityfocus com
> Subject: Disable 80/443 Put / Delete Methods
>
>
>
>
>
> Hi group,
>
> I have a client's vulnerability audit report for a web server 
> that indicates that for ports 80 & 443 the PUT and DELETE 
> methods are enabled on the server.
> The recommendation is to "disable" these methods "if possible".
>
> What does "disable" truly mean:
> a) Enable only when needed?
> b) delete these methods such that they can't ever be 
> used?....and can that be done?
>
> The webmaster claims there is no other way to maintain the 
> site but also has no rational reason other than IMHO preference.
>
> What scenarios would make it impossible to disable these methods.
>
> Thanks,
>
> Roger
>
>
> DISCLAIMER:
> This communication may contain privileged and/or confidential 
> information and is intended only for the use of the 
> individual or entity to whom it is addressed.  No waiver of 
> confidentiality or privilege is made by mistransmission.  If 
> the reader of this message is not the intended recipient, you 
> are hereby notified that any unauthorized dissemination, 
> distribution,  reading, printing, copying and/or use of this 
> communication is strictly prohibited. If you have received 
> this communication in error, please immediately notify the 
> sender by return e-mail and delete this message from your 
> system as well as destroy any paper copies made.  Calyon 
> Financial makes no representation or warranty regarding the 
> correctness of any information contained herein, or the 
> appropriateness of any transaction for any person.
> Nothing herein shall be construed as a recommendation to buy 
> or sell any financial instrument or security.