Hi,
A commissioned company has detected a cyber security lack and we were forced to unable the HTTP methods PUT and DELETE on our web server. This was their report:
Test HTTP dangerous methods
Misconfigured web servers allows remote clients to perform dangerous HTTP methods such as PUT and DELETE. This script checks if they are enabled and can be misused to upload or delete files.
Although we could not exploit this it seems that the PUT method is enabled (auth protected) at this web server for the following directories: ....
Although we could not exploit this it seems that the DELETE method is enabled (auth protected) at this web server for the following directories: ....
Use access restrictions to these dangerous HTTP methods or disable them completely.
After disabling the both methods, we are no more able to create new pages in Conflunece. What is the best solution in such a case?
Thanks in advance.
Best regards,
Aysenur
This is somewhat provocative, but maybe review why the security scanners don't understand what these methods are for and why they're not dangerous when used correctly?
As they say, they are "auth protected" in Confluence, and are hence used correctly.
So I'm a bit confused on why they have reported this to you like this. These methods are actually what the web was built for!
Just to second Nic - crappy scanners with robots behind it giving it no thought. Such is today's age. I fail to understand why PUT and DELETE (auth protected!) would be a reason for alarm. First, you need to provide valid application credentials, second, those methods both respect your application permissions.
If they are both auth protected, then why is solution "use access restrictions"?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your answer and your comment. They allowed us to activate the methods and the system is again working without problems.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.