HTTP PUT
Impact
An attacker may be able to upload files onto the web server.
Background
Web servers use the Hypertext
Transfer Protocol (HTTP) to communicate with web browsers.
HTTP includes several different request
methods, the most common of which are GET,
which is used to request a particular web page from the
server, and POST, which is usually used to send
form data to a web application. Another request method which
is sometimes recognized by the web server is PUT,
which is used for web publishing.
The Problem
If the web server accepts PUT requests,
an attacker could upload files to any directory which
is writable by the web user. This could allow an
attacker to make unauthorized changes to web pages. If
the script directory (typically /cgi-bin) is
writable, the attacker could replace scripts with
versions containing Trojan Horses which could have harmful
effects on the server.
Resolution
Configure the web server not to accept PUT
requests. If you require the functionality of PUT
for web publishing, use a put script which
can only be run by authorized users,
which ensures that the script can update only web content files, and
which ensures that users can only update their own pages.
Where can I read more about this?
A good tutorial on the proper use of the PUT
method is available from
Apache Week.