Misconfiguration in LIMIT directive of .htaccess file

Medium Web Application Scanning Plugin ID 98095

Synopsis

Misconfiguration in LIMIT directive of .htaccess file

Description

There are a number of HTTP methods that can be used on a webserver (for example
`OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE `etc.).
Each of these methods perform a different function, and each has an associated
level of risk when their use is permitted on the webserver.

The `<Limit>` directive within Apache's `.htaccess` file allows administrators
to define which of the methods they would like to block. However, as this is a
blacklisting approach, it is inevitable that a server administrator may
accidentally miss adding certain HTTP methods to be blocked, thus increasing
the level of risk to the application and/or server.

Solution

The preferred configuration is to prevent the use of unauthorised HTTP methods by utilising the `<LimitExcept>` directive.
This directive uses a whitelisting approach to permit HTTP methods while blocking all others not listed in the directive, and will therefor block any method tampering attempts.
Most commonly, the only HTTP methods required for most scenarios are `GET` and `POST`. An example of permitting these HTTP methods is: `<LimitExcept POST GET> require valid-user </LimitExcept>`

See Also

http://httpd.apache.org/docs/2.2/mod/core.html#limit

Plugin Details

Severity: Medium

ID: 98095

Type: remote

Family: Web Servers

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSSv3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Reference Information