作者 主題: N-Stalker掃描後的report  (閱讀 3669 次)

0 會員 與 1 訪客 正在閱讀本文。

pc810232

  • 懷疑的國中生
  • **
  • 文章數: 31
    • 檢視個人資料
N-Stalker掃描後的report
« 於: 2007-11-11 20:14 »
因為之前主機網頁有遭受入侵 當作跳板

所以重新安裝後  使用N-Stalker這套先掃掃看有沒有什麼漏洞

其中有一項是

Comments
An insecure HTTP method has been detected as available in the Web Server side and may be exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than GET, POST and HEAD are not common and should be evaluated before being made public available on production-level Web Servers.

Some problems may arise because of information leakage problem such as TRACE method (that may reveal internal private HTTP Headers) or may be used for client-side credentials stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow for arbitrary file uploading and should not be available under normal conditions.

This issue can be considered an Insecure Configuration Management as described in OWASP Top10 Web Application Vulnerabilities, Section A10: "Web server and application server configurations play a key role in the security of a web application. These servers are responsible for serving content and invoking applications that generate content. In addition, many application servers provide a number of services that web applications can use, including data storage, directory services, mail, messaging, and more. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems."

我本來以為是要限制主機參數傳遞方法

所以加上以下這些
<Directory />
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>


結果還是一樣會有這個commet

請前輩指導  謝謝[/img]