.

Web Server allowing the HTTP PUT Method

<<

tyr3ll

Newbie
Newbie

Posts: 2

Joined: Sat Nov 26, 2011 5:30 am

Post Tue Jul 03, 2012 10:30 am

Web Server allowing the HTTP PUT Method

Hello!
As everyone knows the PUT Method can be a concern when allowed on webservers.
I've been through some tests which raise questions i'd like to submit here:

Using the OPTIONS method, we ask the server what methods are allowed
for the root path '/' :
hey@nix:~/# echo -e "OPTIONS / HTTP/1.0\n" | nc -v server 80

HTTP/1.0 200 OK
Date: Tue, 03 Jul 2012 13:06:15 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.9
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

Great, the apache server says PUT is allowed for '/'.
Now, we know there are the following directories on the server:
/c/
/manual/
/icons/

Issuing the OPTIONS method again on the '/c/' directory give us:
hey@nix:~/# echo -e "OPTIONS /c/ HTTP/1.0\n" | nc -v server 80

HTTP/1.0 200 OK
Date: Tue, 03 Jul 2012 13:16:55 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.9
Content-Length: 0
Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE

The very same results as for the '/' root directoy: PUT is ALLOWED.
Now, the '/manual/ directory says the same.
However for the '/icons/' dir, the server answers that only GET, HEAD, OPTIONS, TRACE
are allowed.

Well, trying to use the PUT Method to upload a .txt file to the root folder or to '/manual/'
get a negative response:
"405 Method Not Allowed
The requested method PUT is not allowed for the URL /manual/test.txt."

Of Course the directory i'm trying to upload something to should also be writable
for the PUT to succeed, but why then the HTTP response is telling us that PUT is not allowed?

More important, why some directories replies that PUT is allowed and some dont?
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Wed Jul 04, 2012 1:29 pm

Re: Web Server allowing the HTTP PUT Method

Hmm not sure. Well, I guess the permissions are set differently for those directories. To be honest I don't know why the PUT command isn't working, but I'm guessing it has something to do with the server configuration. Maybe the PUT method is allowed, but not implemented or mapped to the correct handler.

You could just search on google about the 405 error code in relation to the PUT method. Also look for some info about WebDav. Someone else might have a better answer :P
ZF
<<

tyr3ll

Newbie
Newbie

Posts: 2

Joined: Sat Nov 26, 2011 5:30 am

Post Thu Jul 05, 2012 4:31 am

Re: Web Server allowing the HTTP PUT Method

Thanks for your reply ZF.
your guessing sounds logical (something wrong on server side config or implementation),
cause if the PUT method is correctly handled by the server, i should get a "403 Forbidden" or "401 Unauthorized" which would indicate a write permissions issue on the remote folder.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software