Publicly writable directory

High Web Application Scanning Plugin ID 98099

Synopsis

Publicly writable directory

Description

There are various methods in which a file (or files) may be uploaded to a webserver. One method that can be used is the HTTP `PUT` method. The `PUT` method is mainly used during development of applications and allows developers to upload (or put) files on the server within the web root.
By nature of the design, the `PUT` method typically does not provide any filtering and therefore allows sever side executable code (PHP, ASP, etc) to be uploaded to the server.
Cyber-criminals will search for servers supporting the `PUT` method with the intention of modifying existing pages, or uploading web shells to take control of the server.
Scanner has discovered that the affected path allows clients to use the `PUT` method. During this test, scanner has `PUT` a file on the server within the web root and successfully performed a `GET` request to its location and verified the contents.

Solution

Where possible the HTTP `PUT` method should be globally disabled. This can typically be done with a simple configuration change on the server. The steps to disable the `PUT` method will differ depending on the type of server being used (IIS, Apache, etc.).
For cases where the `PUT` method is required to meet application functionality, such as REST style web services, strict limitations should be implemented to ensure that only secure (SSL/TLS enabled) and authorised clients are permitted to use the `PUT` method.
Additionally, the server's file system permissions should also enforce strict limitations.

See Also

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

Plugin Details

Severity: High

ID: 98099

Type: remote

Family: Web Servers

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: High

Reference Information