Detections
Analytics
Misconfiguration in LIMIT directive of .htaccess file
medium Web App Scanning Plugin ID 98095
Language:
Synopsis
Misconfiguration in LIMIT directive of .htaccess fileDescription
There are a number of HTTP methods that can be used on a webserver (for example `OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE `etc.). Each of these methods perform a different function, and each has an associated level of risk when their use is permitted on the webserver.The `<Limit>` directive within Apache's `.htaccess` file allows administrators to define which of the methods they would like to block. However, as this is a blacklisting approach, it is inevitable that a server administrator may accidentally miss adding certain HTTP methods to be blocked, thus increasing the level of risk to the application and/or server.
Solution
The preferred configuration is to prevent the use of unauthorised HTTP methods by utilising the `<LimitExcept>` directive.This directive uses a whitelisting approach to permit HTTP methods while blocking all others not listed in the directive, and will therefor block any method tampering attempts.
Most commonly, the only HTTP methods required for most scenarios are `GET` and `POST`. An example of permitting these HTTP methods is: `<LimitExcept POST GET> require valid-user </LimitExcept>`
See Also
Plugin Details
Severity: Medium
ID: 98095
Type: remote
Family: Web Servers
Published: 3/31/2017
Updated: 6/10/2024
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 2.5
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score Source: Tenable
CVSS v4
Risk Factor: Medium
Base Score: 6.9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: Tenable