WebDAV directory listing
Description
The WebDAV PROPFIND method allows clients to retrieve properties and metadata for resources on a web server. When directory browsing is enabled, this method can be exploited to recursively enumerate all files and folders within a directory structure, even if no direct links to these resources exist on the website. This information disclosure vulnerability allows attackers to map the server's file system structure, discover hidden files, backup copies, configuration files, and other resources that were not intended to be publicly accessible.
Remediation
Take the following steps to remediate this vulnerability:
1. Disable WebDAV if not required: If WebDAV functionality is not necessary for your application, disable it entirely at the web server level.
For IIS, disable WebDAV in web.config:
<system.webServer> <webdav enabled="false" /> </system.webServer>
For Apache, remove or comment out the WebDAV module:
# a2dismod dav # a2dismod dav_fs
2. Disable directory browsing: If WebDAV must remain enabled, disable directory browsing for all directories except those explicitly requiring it.
For IIS:
<system.webServer> <directoryBrowse enabled="false" /> </system.webServer>
3. Implement access controls: Restrict WebDAV access to authenticated users only and limit permissions to specific directories using authentication and authorization rules.
4. Review file permissions: Ensure that sensitive files and directories have appropriate access controls at the file system level to prevent unauthorized access even if enumerated.