A site for solving at least some of your technical problems...
A site for solving at least some of your technical problems...
Just got told that one of my servers was running WebDAV. I used that before so I thought it was turned on. Checking at the server, I could not find anything about DAV that was turned on in my server...
So, how could they detect WebDAV and not me??
The fact is that by default Drupal doesn't check the HTTP query method. It should! In fact, Drupal happily answers all methods with an HTML page. So I did not have WebDAV, just a flaky CMS.
How can you test methods that your server supports?
Knowing your IP address and port, use telnet like this:
telnet IP port (i.e. telnet 1.2.3.4 80)
Once connected to your Apache or IIS server, type a header file such as this one:
PROPFIND / HTTP/1.1 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Host: secure.m2osw.com
Enter a host that makes sense for your server and hit enter twice at the end (so you generate an empty line which is detected as the end of the HTTP request header.)
The response should be something like 501. It may also return 404 or 403 or 401. If you get a 200, however, that's when the others will think you have a WebDAV installed, even if the message returned has nothing to do with WebDAV.
My solution was to tweak an existing rule in modsecurity which checks for headers and "breaks" if a header is something else than GET, POST, or HEAD. That's pretty much all we use at this time, so anything else is just ignored with a 501 error.
SecRule REQUEST_METHOD "!^((?:POST|GET|HEAD))$" \ "phase:2,t:none,log,auditlog,deny,status:501, ... ... msg:'Method is not allowed by policy', ... ... severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
Note that the "..." just means it continues on and on, don't break the string on multiple lines. In my case, I added the keyword "deny" and a comma. The entry was already in there otherwise. It could be that I removed the word "deny" at some point, although my two servers had the same default so I'm thinking that was the stock version of that rule.
Recent Posts on The Linux Page: