WebDAV Directory Has Write Permissions
Description
This server has WebDAV enabled with write permissions configured on the tested directory. The scanner successfully created a test file using the HTTP PUT method, confirming that unauthorized file creation is possible. This misconfiguration allows remote users to upload or modify files without authentication, which commonly occurs when WebDAV is enabled with overly permissive access controls or when the PUT method is not properly restricted.
Remediation
Immediately restrict or disable the HTTP PUT method on this directory. Implement one or more of the following solutions based on your web server:
For Apache:
Add the following to your .htaccess or virtual host configuration:
<Directory /path/to/webdav>
<LimitExcept GET POST HEAD>
Require valid-user
</LimitExcept>
</Directory>For IIS:
1. Open IIS Manager and navigate to the affected directory
2. Select 'WebDAV Authoring Rules'
3. Remove or modify rules that allow PUT/DELETE methods
4. Ensure authentication is required for all write operations
For Nginx:
Add to your server or location block:
location /webdav/ {
limit_except GET HEAD {
deny all;
}
}General recommendations:
- If WebDAV is not required, disable it entirely
- Implement strong authentication (preferably certificate-based or multi-factor)
- Restrict WebDAV access by IP address if possible
- Regularly audit file permissions and uploaded content
- Monitor server logs for suspicious PUT/DELETE requests