Re: HTTP Method?
From: Kerbl Thomas Rudolf (cms00008_at_fh-hagenberg.at)
Date: 09/29/03
- Previous message: Meidinger Chris: "RE: Student-Degree valuable or not?"
- Maybe in reply to: SB CH: "HTTP Method?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Sep 2003 09:25:28 +0200 To: security-basics@securityfocus.com
----- Original Message -----
From: "SB CH" <chulmin2@hotmail.com>
To: <security-basics@securityfocus.com>
Sent: Friday, September 26, 2003 1:35 PM
Subject: HTTP Method?
> Hello, all.
>
> I heard that some http method like DELETE, TRACE, CONNECT would not be
> allowed.
> Which security problem wolud be if one allow these methods in the web
> server?
well, DELETE obviously may enable an Attacker to wipe your files, if the
security settings on your file systems are too weak. I see no good reason, why
one would want to enable DELETE anyway.
TRACE is a debugging method, after the server config worx for you, you should
disable it. It is possible to start an Cross Site Scripting Attack on your
webpage. You can find details to this topic in the excellent Whitepaper from
WhiteHat Security
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
*hth*
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Meidinger Chris: "RE: Student-Degree valuable or not?"
- Maybe in reply to: SB CH: "HTTP Method?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
