Re: uploading files to Apache webserver

From: dzzie@yahoo.com
Date: 10/17/01 

From: dzzie@yahoo.com
To: pen-test@securityfocus.com
Subject: Re: uploading files to Apache webserver
Message-Id: <20011017195709.NYMA7982.mta02-srv.alltel.net@quas>
Date: Wed, 17 Oct 2001 14:57:10 -0500

have you tested the PUT script so it is known working ?

when i do a http PUT to my IIS server i get back 2 seperate headers if it works

PUT /dir/mum.txt HTTP/1.1
Content-Length: 1854
Host: www.bad-things.com

[File Content]

HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Mon, 24 Sep 2001 13:41:11 GMT

HTTP/1.1 201 Created
Server: Microsoft-IIS/5.0
Date: Mon, 24 Sep 2001 13:41:15 GMT
Location: http://www.bad-things.com/dir/mum.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

if the PUT fails then i get these two headers

HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Mon, 24 Sep 2001 13:43:30 GMT

HTTP/1.1 403 Forbidden
Server: Microsoft-IIS/5.0
Date: Mon, 24 Sep 2001 13:43:30 GMT
Connection: close
Content-Type: text/html
Content-Length: 3193

[html error page generated by IIS]

the first header just means that the method is implemented or not...if i
try a PUT on my Apache server I get

HTTP/1.1 405 Method Not Allowed
Date: Mon, 15 Oct 2001 23:41:33 GMT
Server: Apache/1.3.19 (Unix) PHP/4.0.4pl1 mod_ssl/2.8.2 OpenSSL/0.9.6
Allow: GET, HEAD, OPTIONS, TRACE
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

[html error msg generated by server]

it might be that the server has the PUT method implemented but its not
actually a writable directory or mabey the PUT script has a bug ?

if you have a MS platform about you can try my PUT program it will spit out
all teh headers it receives after the attempt..mabey it will show some
more info...

http://geocities.com/dzzie/

its in the VB6 -> Internet section

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • Re: IE cannot download .pdf, .doc, .xls from HTTPS site
    ... browser resides on the server is IE 5.01 SP4. ... several times and it doesnt seems to be able to download the excel file. ... IIS does not send those headers on its own, ...
    (microsoft.public.inetserver.misc)
  • Re: HitCounter
    ... I am using IIS 5. ... headers. ... Recalculate Web in IIS and get the following message(The server ... administration programs and the server extensions on the web are not ...
    (microsoft.public.frontpage.programming)
  • Re: Cookies not being sent by IIS
    ... There CANNOT be a bug in IIS related to cookies because IIS is not ... headers called "foo" or "bar". ... You want to start with a Network Sniff between the client and server to make ...
    (microsoft.public.inetserver.iis)
  • Re: Outsider Able To Edit Web Site w/FP2000
    ... PS here are other things you may need to do to secure Windows and IIS on ... your server: ... > headers with 1 Static IP Address) web sites. ...
    (microsoft.public.inetserver.iis.security)
  • [NT] Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise
    ... This patch eliminates a newly discovered vulnerability affecting Internet ... in IIS 4.0 and 5.0, and could likewise be used to overrun heap memory on ... allowing code to be run on the server. ... * Microsoft has long recommended disabling HTR functionality unless there ...
    (Securiteam)