Configuration Management / HTTP Put Method Is Enabled
HTTP PUT method is enabled vulnerability is a Configuration Management vulnerability (CWE-264) that allows an attacker to modify existing web resources or create new resources via web server. It can be exploited to create malicious files or modify data on a vulnerable server. The vulnerability is categorized as a Security Misconfiguration (CWE-732) according to the Common Weakness Enumeration (CWE) directory. OWASP Testing Guide Version 4.0 also mentions HTTP PUT method enabled vulnerability as part of the Testing for Security Misconfiguration.
The risk of this vulnerability is high as it allows an attacker to modify existing web resources or create new resources on a vulnerable web server. An attacker can exploit this vulnerability to inject malicious code or modify data on a vulnerable server. This can lead to data leakage, data loss, and other security issues.
The solution to this vulnerability is to disable the HTTP PUT method. This can be done by disabling the PUT method in the web server configuration file. It is also recommended to restrict access to the web server by using authentication and authorization mechanisms.
The following code is an example from the CVE directory (CVE-2017-7485) of a vulnerable web server that has the HTTP PUT method enabled.
PUT /upload HTTP/1.1 Host: example.com Content-Length: 16 Content-Type: text/plain This is a test