Code Execution via WebDav
Description
This web server has WebDAV enabled with write permissions configured on the scanned directory. The vulnerability allows unauthenticated attackers to upload arbitrary files using the HTTP PUT method and execute them by exploiting a file extension parsing weakness. Invicti successfully demonstrated this by uploading a test file, renaming it using a double-extension technique (filename.asp;.jpg), and executing server-side code. This configuration bypasses typical upload restrictions and enables remote code execution without authentication.
Remediation
Immediately disable write permissions on the affected directory by removing PUT, DELETE, and MKCOL methods from the WebDAV configuration. If WebDAV functionality is not required, disable it entirely on the web server. For IIS servers, remove the WebDAV module or restrict it using web.config:
<system.webServer>
<security>
<requestFiltering>
<verbs>
<add verb="PUT" allowed="false" />
<add verb="DELETE" allowed="false" />
<add verb="MKCOL" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>For Apache servers, disable WebDAV in the virtual host configuration or use .htaccess to deny these methods:
<Limit PUT DELETE MKCOL> Deny from all </Limit>
If WebDAV is required for legitimate business purposes, implement strong authentication, restrict access to specific IP addresses or networks, and ensure uploaded files cannot be executed by placing them outside the web root or using appropriate file type restrictions.