Re: [users@httpd] Help required for security vulnerabilities in 1.3.29

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
From: syona m <syona2k@xxxxxxxxx>
Date: Thu, 15 Dec 2005 05:43:50 -0800 (PST)
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxx
Delivered-to: apmail-httpd-users-archive@xxxxxxxxxxxxxxxx
Delivered-to: mailing list users@xxxxxxxxxxxxxxxx
In-reply-to: <438E1AAF.7050608@xxxxxxxxxxxxx>
Mailing-list: contact users-help@xxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: users@xxxxxxxxxxxxxxxx

Hi All,

I have come to know that by default DELETE and PUT methods are disable in apache webserver. Is there any way I can test for the same?

Following the tips mentioned in the following sites http://software.newsforge.com/article.pl?sid=04/09/17/1527247&tid=78&tid=48
"To test the PUT method, use a tool like curl to attempt a file upload:
curl -T test.asp http://www.mywebsite.com/
Next, try to access the file. If you can, then the PUT method is enabled.
To test the DELETE method, connect to the server using telnet and issue the following command:
DELETE / HTTP/1.0\n \n
where is the file you want to delete (ie: index.html). If the file gets removed, the DELETE method is enabled"

Using the curl tool it was seen that PUT methods is not Impactingour software
D:\curl\curl-7.15.0>curl -T README http://xxx:8080/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>405 Method Not Allowed</TITLE>
</HEAD><BODY>
<H1>Method Not Allowed</H1>
The requested method PUT is not allowed for the URL /README.<P>
<HR>
<ADDRESS>Apache/1.3.29 Server at indmft6 Port 8080</ADDRESS>
</BODY></HTML>

For using the same tool for DELETE method we were not able to login to the server

trying directly to test the method DELETE

DELETE <file> HTTP/1.0\n \n

# DELETE
DELETE: not found
#

I got this whether this a valid testing result or is command: not found is a message coming from the Solaris operating system

Please let me know is there any other way I could verify for sure this method not being used by the apache installed in my machine

Thanks for the help

Regards

Priya

"William A. Rowe, Jr." <wrowe@xxxxxxxxxxxxx> wrote:

Nick Kew wrote:
> On Tuesday 29 November 2005 12:17, Joost de Heer wrote:
>
>>1.3.34 was released several weeks ago (at least the Unix version, did
>>William Rowe upload the win32 1.3.34 binary yet?)
>
> http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=113147100206551&w=2
>
> I can't find the reference just now, but he later suggested this lack of
> interest means we can finally declare 1.3-on-windows dead.

Yes, at which point Randy our Guru of Win32/modperl reminded me that many
folks do use this, and he personally vouched for the installer.

So, yes, these have been up for the past week.

Bill

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Yahoo! Shopping
Find Great Deals on Holiday Gifts at Yahoo! Shopping

References:

Re: [users@httpd] Help required for security vulnerabilities in 1.3.29
From: William A. Rowe, Jr.

Prev by Date: [users@httpd] mod_backhand on load balancing apache

Next by Date: Re: [users@httpd] Re: cgi scripts outside of cgi-bin

Previous by thread: Re: [users@httpd] Help required for security vulnerabilities in 1.3.29

Next by thread: [users@httpd] Secure Apache proxy chaining

Index(es):

Date

Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]