Full Report
A very common finding in our day to day vulnerability management endevours is the HTTP Methods Per Directory. In its most basic form, HackRack will determine which HTTP methods are allowed on various web or CGI directories by calling the OPTIONS methods per directory. On its own it is not always significant but as soon as you have directories that allow for PUT or DELETE, and weak directory permissions are in place, the picture can become much more colourful.
Analysis Summary
# Vulnerability: Information Disclosure via Permissive HTTP Methods Per Directory
## CVE Details
- CVE ID: Not Applicable (This describes a configuration weakness/best practice violation, not a specific software vulnerability with a dedicated CVE.)
- CVSS Score: N/A (Configuration Issue)
- CWE: CWE-200 (Information Exposure), CWE-73 (External Control of File Name or Path) (If PUT/DELETE leads to file overwrite/creation)
## Affected Systems
- Products: Any web server (e.g., Apache, Nginx, IIS) or application server hosting web/CGI directories.
- Versions: All versions that allow HTTP methods beyond GET/HEAD/POST by default or via configuration, and especially those where permissive methods (PUT, DELETE) coexist with weak directory permissions.
- Configurations: Directories configured to allow HTTP methods such as `PUT` or `DELETE` without proper authorization or access control checks.
## Vulnerability Description
The issue arises when web or CGI directories permit HTTP methods like `PUT` or `DELETE` via the server configuration (often revealed using the `OPTIONS` HTTP method). While allowing these methods is sometimes necessary for APIs or WebDAV, if an unprotected directory allows `PUT` (to upload arbitrary content) or `DELETE` (to remove files), this misconfiguration can lead to severe security implications, especially when combined with weak filesystem permissions.
## Exploitation
- Status: PoC available (The provided article describes the availability of a tool/script for *detection*, implying detection methods are readily available.)
- Complexity: Low (Identification is achieved via a simple `OPTIONS` request.)
- Attack Vector: Network
## Impact
- Confidentiality: Medium (If an attacker can view directory listings containing sensitive file names, though this is secondary to integrity/availability risks.)
- Integrity: High (If `PUT` is allowed on sensitive paths, allowing upload/overwrite of configuration files or application code.)
- Availability: High (If `DELETE` is allowed on critical resources, leading to Service Disruption.)
## Remediation
### Patches
- This requires configuration changes, not software patches, unless the web server ships with insecure defaults that cannot be overridden.
### Workarounds
1. **Restrict HTTP Methods:** Configure directories and virtual hosts via the web server configuration files (e.g., Apache `.htaccess`, Nginx configuration) to explicitly allow only necessary methods (usually `GET`, `HEAD`, `POST`).
2. **Disable Unnecessary Methods:** Specifically disable `PUT`, `DELETE`, `TRACE`, and other potentially dangerous methods for all static content directories.
3. **Check Permissions:** Ensure that directories where methods like `PUT` or `DELETE` *must* be enabled (e.g., specific API endpoints) have strict ACLs and authentication requirements.
## Detection
- **Indicators of Compromise:** Presence of unexpected files following requests made using `PUT` or abnormally deleted critical files identified through file integrity monitoring (FIM).
- **Detection Methods and Tools:**
* Scanning directories using the `OPTIONS` HTTP method to enumerate allowed methods.
* The article references specific Python tools (`mpd-80.py`, `mpd-443.py`) designed to automate this discovery process.
## References
- Vendor advisories: N/A (Configuration Best Practice)
- Relevant links - defanged: hxxp://www.sensepost.com/labs/tools/misc