RE: NMAP -> http-methods.nse result

["Rob Nicholls" <robert () robnicholls co uk>]

Hi Zack,

Output 2 suggests to me that both methods are supported, but something is
stopping you from deleting "/" (probably file permissions - this could be
caused by people uploading content via SFTP under one username and running
Apache under another account so it can't modify the files).

The PUT method requires a Content-Length header to specify the length (in
bytes) of the body so the server knows when the input stream has ended. This
actually looks like a bug in the script to me, as the http library should
automatically add Content-Length headers to requests, so I'm assuming the
script doesn't pass any data for the body. If the file permissions allow it,
it may be possible to PUT a file to the server (you might find you can't
delete existing files, but you may have permission to add new files rather
than trying to overwrite whatever's at "/").

Output 2 reminds me of the issue where TRACE (and TRACK) was supported by an
Apache server, but it used mod_rewrite and had been configured to return a
"403 Forbidden" error instead (this is how many people configured their
Apache servers before the TraceEnable directive in Apache 1.3.34 and
2.0.55). In that scenario the core server does technically support the
method, but the server has then been configured to prevent the core
functionality from working. This sort of thing can trick other basic tools
that don't perform comprehensive testing and trusts the output of things
like the OPTIONS method (modern web servers, for example, can let you
configure specific HTTP methods per file extension, which can really confuse
matters). Nessus, for example, attempts to perform a TRACE request for a
random filename to verify that TRACE is really enabled. If Output 2 had said
"403 Forbidden" to both methods it could have been down to something like
mod_rewrite, but I suspect the "411 Length Required" means that nothing
would stop you from performing a PUT request (although file permissions
might prevent it from being successful), which is another reason why it
suggests to me that both methods are enabled. Whether they can actually be
used to add or remove content is a different question, and can only be
concluded if you see "200 OK".

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Zack Dela
Sent: 07 October 2010 06:37
To: nmap-dev () insecure org
Subject: NMAP -> http-methods.nse result

Good day

I would like to ask this following output below using the script
http-methods, 
im confused if the site is really using PUT and DELETE
Which of the following output wherein we can conclude that a certain site
has 
indeed use PUT and DELETE methods?

In my opinion, Output 1 is not while Output 2 is somehow using those methods

with restriction (PUT and DELETE). Or this 2 output simply says that the
site is 
not  using methods PUT and DELETE?

Im checking this to our site since this PUT and DELETE methods are
dangerous.

Output 1:
 PUT / -> HTTP/1.1 405 Method Not Allowed 
 DELETE / -> HTTP/1.1 405 Method Not Allowed

Output 2:
DELETE / -> HTTP/1.1 403 Forbidden 
PUT / -> HTTP/1.1 411 Length Required

Please help clarify

Thank you.


      
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/