Publicly writable directory

high Web App Scanning Plugin ID 98099

Language:

Synopsis

Description

There are various methods in which a file (or files) may be uploaded to a webserver. One method that can be used is the HTTP `PUT` method. The `PUT` method is mainly used during development of applications and allows developers to upload (or put) files on the server within the web root.

By nature of the design, the `PUT` method typically does not provide any filtering and therefore allows sever side executable code (PHP, ASP, etc) to be uploaded to the server.

Cyber-criminals will search for servers supporting the `PUT` method with the intention of modifying existing pages, or uploading web shells to take control of the server.

Scanner has discovered that the affected path allows clients to use the `PUT` method. During this test, scanner has `PUT` a file on the server within the web root and successfully performed a `GET` request to its location and verified the contents.

Solution

Where possible the HTTP `PUT` method should be globally disabled. This can typically be done with a simple configuration change on the server. The steps to disable the `PUT` method will differ depending on the type of server being used (IIS, Apache, etc.).
For cases where the `PUT` method is required to meet application functionality, such as REST style web services, strict limitations should be implemented to ensure that only secure (SSL/TLS enabled) and authorised clients are permitted to use the `PUT` method.
Additionally, the server's file system permissions should also enforce strict limitations.