Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Problems with PUT and DELETE methods

CSS Akademie
CSS Akademie December 17, 2021

Hi,

A commissioned company has detected a cyber security lack and we were forced to unable the HTTP methods PUT and DELETE on our web server. This was their report:

Test HTTP dangerous methods

Description

Misconfigured web servers allows remote clients to perform dangerous HTTP methods such as PUT and DELETE. This script checks if they are enabled and can be misused to upload or delete files.

Output

Although we could not exploit this it seems that the PUT method is enabled (auth protected) at this web server for the following directories: ....

Although we could not exploit this it seems that the DELETE method is enabled (auth protected) at this web server for the following directories: ....

Solution

Use access restrictions to these dangerous HTTP methods or disable them completely.

After disabling the both methods, we are no more able to create new pages in Conflunece. What is the best solution in such a case?

Thanks in advance.

Best regards,

Aysenur

Answer
Watch
Like Be the first to like this
1420 views

1 answer

1 accepted

0 votes
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 17, 2021

This is somewhat provocative, but maybe review why the security scanners don't understand what these methods are for and why they're not dangerous when used correctly?

As they say, they are "auth protected" in Confluence, and are hence used correctly.

So I'm a bit confused on why they have reported this to you like this.  These methods are actually what the web was built for!

View More Comments
Radek Dostál
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 19, 2021

Just to second Nic - crappy scanners with robots behind it giving it no thought. Such is today's age. I fail to understand why PUT and DELETE (auth protected!) would be a reason for alarm. First, you need to provide valid application credentials, second, those methods both respect your application permissions.

If they are both auth protected, then why is solution "use access restrictions"?

Like Nic Brough -Adaptavist- likes this
CSS Akademie
CSS Akademie January 12, 2022

Thanks for your answer and your comment. They allowed us to activate the methods and the system is again working without problems.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events