[問題] N-Stalker掃描後的report

看板NetSecurity (資安資訊安全)作者coolkevin (我笑他人看不穿)時間17年前 (2007/11/20 15:54)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

因為之前主機網頁有遭受入侵當作跳板所以重新安裝後使用N-Stalker這套先掃掃看有沒有什麼漏洞其中有一項是 Comments An insecure HTTP method has been detected as available in the Web Server side and may be exploited under certain conditions. Although it may varies accordingly to the situation, HTTP methods others than GET, POST and HEAD are not common and should be evaluated before being made public available on production-level Web Servers. Some problems may arise because of information leakage problem such as TRACE method (that may reveal internal private HTTP Headers) or may be used for client-side credentials stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow for arbitrary file uploading and should not be available under normal conditions. This issue can be considered an Insecure Configuration Management as described in OWASP Top10 Web Application Vulnerabilities, Section A10: "Web server and application server configurations play a key role in the security of a web application. These servers are responsible for serving content and invoking applications that generate content. In addition, many application servers provide a number of services that web applications can use, including data storage, directory services, mail, messaging, and more. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems." 我本來以為是要限制主機參數傳遞方法所以加上以下這些 <Directory /> <Limit GET POST OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS> Order deny,allow Deny from all </LimitExcept> </Directory> 結果還是一樣會有這個commet 請前輩指導謝謝 -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 134.208.2.224