File creation via HTTP method PUT
Description
The web server is configured to accept HTTP PUT requests, which allows remote users to create or modify files on the server without authentication. Invicti successfully created a test file in the target directory using the PUT method. This misconfiguration typically occurs when web servers or WebDAV services are improperly configured, leaving the PUT method enabled and accessible to unauthenticated users.
Remediation
Disable the HTTP PUT method if it is not required for your application. If PUT functionality is necessary (such as for WebDAV or REST APIs), implement the following controls:
1. Require authentication and authorization for all PUT requests to ensure only authorized users can upload or modify files.
2. Disable PUT for static content directories and limit it only to specific application endpoints that require it.
For Apache, add to your configuration:
<Directory /var/www/html>
<LimitExcept GET POST HEAD>
Require valid-user
</LimitExcept>
</Directory>For Nginx, add to your server block:
limit_except GET POST HEAD {
deny all;
}For IIS, use the Request Filtering feature to block the PUT verb or configure WebDAV to require authentication.
3. Verify the configuration by testing that PUT requests are properly rejected or require authentication after implementing these changes.