선 밖에 선 자유인

APACHE 웹 서버 취약한 메서드 차단 본문

IT/System & Network

APACHE 웹 서버 취약한 메서드 차단

Hotman 2016. 11. 25. 11:33

- Apache HTTP Method 취약 확인

 

[root@CentOS-6-APM apache]# curl -I -X OPTIONS http://localhost 

HTTP/1.1 200 OK

Date: Fri, 25 Nov 2016 02:06:50 GMT

Server: Apache

Allow: OPTIONS,GET,HEAD,POST,TRACE

Content-Length: 0

Content-Type: text/html

 

- Document Root 디렉터리 설정 부분에 아래와 같이 설정 (** 이 때 주의: <Directory /> 부분이 아닌 <Directory "/var/www/html">과 같이 DocumentRoot 에 설정해 줘야함) 

 

<Directory "/var/www/html">

    AllowOverride None

    Require all granted

    <LimitExcept GET POST>

        Order deny,allow

        Deny from all

    </LimitExcept>

</Directory>

 

- Apache 재구동 후 확인 (취약한 메서드가 확인되지 않음) 


[root@CentOS-6-APM ~]# curl -I -X OPTIONS http://localhost

HTTP/1.1 403 Forbidden

Date: Fri, 25 Nov 2016 02:30:57 GMT

Server: Apache

Content-Length: 209

Content-Type: text/html; charset=iso-8859-1

 

- POST : 200OK, PUT, DELETE: 403 Forbidden

[root@CentOS-6-APM ~]# curl -I -X POST http://localhost

HTTP/1.1 200 OK

Date: Fri, 25 Nov 2016 02:31:10 GMT

Server: Apache

Last-Modified: Fri, 25 Nov 2016 00:52:02 GMT

ETag: "5-5421587b9e67d"

Accept-Ranges: bytes

Content-Length: 5

Content-Type: text/html

 

[root@CentOS-6-APM apache]# curl -I -X TRACE http://localhost

HTTP/1.1 405 Method Not Allowed

Date: Fri, 25 Nov 2016 02:18:50 GMT

Server: Apache/2.4.23 (Unix) PHP/5.6.11

Allow: 

Content-Length: 223

Content-Type: text/html; charset=iso-8859-1


[root@CentOS-6-APM ~]# curl -I -X PUT http://localhost

HTTP/1.1 403 Forbidden

Date: Fri, 25 Nov 2016 02:31:31 GMT

Server: Apache

Content-Length: 209

Content-Type: text/html; charset=iso-8859-1

 

[root@CentOS-6-APM ~]# curl -I -X DELETE http://localhost

HTTP/1.1 403 Forbidden

Date: Fri, 25 Nov 2016 02:31:36 GMT

Server: Apache

Content-Length: 209

Content-Type: text/html; charset=iso-8859-1

 

다만 TRACE의 경우 위와 같이 설정해도 차단되지 않으며, TraceEnable Off를 별도로 해줘야 함



저작자표시
'IT/System & Network' Related Articles more
Comments