[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] apache issue

From: Ivan Ristic <ivan.ristic@xxxxxxxxx>
Subject: Re: [WEB SECURITY] apache issue
Date: Tue, 7 Jun 2005 18:46:20 +0100

> <Limit GET>
>    order deny,allow
>    deny from all
> </Limit>

This will only reject GET and HEAD requests (HEAD is always implied
when GET is used), allowing all other request methods to proceed. For
example, "GET /index.php HTTP/1.0" would not be allowed, but "POST
/index.php HTTP/1.0" would. Even "XYZ /index.php HTTP/1.0" works in my
tests. Omitting the <Limit> container is better because the
restrictions are applied to all request methods equally.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] apache issue
  - From: Jay D. Dyson

References:
- [WEB SECURITY] apache issue
  - From: Anita Salerno
- Re: [WEB SECURITY] apache issue
  - From: Jay D. Dyson

Prev by Date: Re: [WEB SECURITY] apache issue
Next by Date: [WEB SECURITY] stats on how web app vulns are identified
Previous by thread: Re: [WEB SECURITY] apache issue
Next by thread: Re: [WEB SECURITY] apache issue
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site