Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Problems with PUT and DELETE methods

Hi,

A commissioned company has detected a cyber security lack and we were forced to unable the HTTP methods PUT and DELETE on our web server. This was their report:

Test HTTP dangerous methods

Description

Misconfigured web servers allows remote clients to perform dangerous HTTP methods such as PUT and DELETE. This script checks if they are enabled and can be misused to upload or delete files.

Output

Although we could not exploit this it seems that the PUT method is enabled (auth protected) at this web server for the following directories: ....

Although we could not exploit this it seems that the DELETE method is enabled (auth protected) at this web server for the following directories: ....

Solution

Use access restrictions to these dangerous HTTP methods or disable them completely.

After disabling the both methods, we are no more able to create new pages in Conflunece. What is the best solution in such a case?

Thanks in advance.

Best regards,

Aysenur

1 answer

1 accepted

0 votes
Answer accepted

This is somewhat provocative, but maybe review why the security scanners don't understand what these methods are for and why they're not dangerous when used correctly?

As they say, they are "auth protected" in Confluence, and are hence used correctly.

So I'm a bit confused on why they have reported this to you like this.  These methods are actually what the web was built for!

Just to second Nic - crappy scanners with robots behind it giving it no thought. Such is today's age. I fail to understand why PUT and DELETE (auth protected!) would be a reason for alarm. First, you need to provide valid application credentials, second, those methods both respect your application permissions.

If they are both auth protected, then why is solution "use access restrictions"?

Like Nic Brough _Adaptavist_ likes this

Thanks for your answer and your comment. They allowed us to activate the methods and the system is again working without problems.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
Community showcase
Published in Confluence Cloud

🏠 Say hello to the new Confluence Home!

Hi Atlassian Community, My name is DJ Chung, and I’m a Product Manager on the Confluence Cloud team. Today, I’m excited to share a new and improved version of Home. The new Home helps you ...

43,235 views 30 134
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you