Bragging will get you in trouble every time...

TommyWillB

TommyWillB

Registered
So I was bragging to a PC guy at work that my Mac OS X Apache/PHP setup was one of the most secure out-of-box setups on the planet. That it had a built-n firewaill with no ports open except 80...

...then he said "Oh yeah? Well as long as you have HTTP PUT enabled on port 80, you ain't secure!".


:confused: Huh?!?


I found the section on the Apache.org site that talks about LIMITING various HTTP methods, but I'm not quite clear where to put this <LIMIT> command.

Anyone have any general or specific opinions on this subject?

Does Apple have any security notes about the HTTP PUT method?
 
Originally posted by TommyWillB
So I was bragging to a PC guy at work that my Mac OS X Apache/PHP setup was one of the most secure out-of-box setups on the planet. That it had a built-n firewaill with no ports open except 80...

...then he said "Oh yeah? Well as long as you have HTTP PUT enabled on port 80, you ain't secure!".
Click to expand...

I believe he's telling you with HTTP PUT he can modify your web pages and possibly system files.

The Apache site has the following info:

The purpose of the <Limit> directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the <Limit> bracket will have no effect. The following example applies the access control only to the methods POST, PUT, and DELETE, leaving all other methods unprotected.

For example:

<Limit POST PUT DELETE>
Require valid-user
</Limit>

<LimitExcept> and </LimitExcept> are used to enclose a group of access control directives which will then apply to any HTTP access method not listed in the arguments; i.e., it is the opposite of a <Limit> section and can be used to control both standard and nonstandard/unrecognized methods. See the documentation for <Limit> for more details.

For example:

<LimitExcept POST GET>
Require valid-user
</LimitExcept>

You could edit your httpd.conf:

/private/etc/httpd/httpd.conf


If you look at your "httpd.conf"file, you'll see both "Limt" sections already there. Edit as required to prevent the PUT command.

I think this will do what you're after.
 
We are aon the right track...

My default web server instance (vs. some of the Virtuals) has no "Require" sections.

So to do this, do I just add this up at the top in the default server area:
Code: 
<LimitExcept GET POST>
    Require valid-user
<LimitExcept>


Second question, since I don't really know what Put and Delete are doing, how do I test that this disabled them?
 
You must log in or register to reply here.
Back
Top