[3134] in WWW Security List Archive
Re: Potential threat with some HTTP REQUEST METHODS?
daemon@ATHENA.MIT.EDU (Brian W. Spolarich)
Thu Oct 3 14:16:56 1996
Date: Thu, 3 Oct 1996 11:30:01 -0400 (EDT)
From: "Brian W. Spolarich" <briansp@ans.net>
To: "Denis Dion Jr." <ddion@gel.ulaval.ca>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91.961001200222.24656A-100000@escoumins.gel.ulaval.ca>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 1 Oct 1996, Denis Dion Jr. wrote:
> But what about these methods? PUT, HEAD, DELETE, LINK, UNLINK
> There doesn't seem to be any available information, even though I just
> read that some of these methods are used to TELL THE SERVER TO
> MODIFY A LINK OR A FILE ON THE SERVER... Seems pretty dangerous isn't it???
Some of these HTTP methods can be dangerous, it you permit them.
Generally for an HTTP server, you configure the server to allow anyone
to submit GET, HEAD, and POST requests, but you apply access controls for
the PUT and other write-oriented methods. Most HTTP servers have this set
up as the default (see the access.conf file for NCSA-derived servers), so
its not really much of a problem.
The lack of strong and secure client-side authentication seems to me to
be more of an exposure.
-b.
--
Brian W. Spolarich - ANS - briansp@ans.net - (313)677-7311
Alice and Bob aren't speaking anymore. She lost his public key.
