N-Stalker掃描後的report - 資安

因為之前主機網頁有遭受入侵 當作跳板

所以重新安裝後 使用N-Stalker這套先掃掃看有沒有什麼漏洞

其中有一項是

Comments
An insecure HTTP method has been detected as available in the Web Server side
and may be exploited under certain conditions.
Although it may varies accordingly to the situation, HTTP methods others than
GET, POST and HEAD are not common and should be evaluated before being made
public available on production-level Web Servers.

Some problems may arise because of information leakage problem such as TRACE
method (that may reveal internal private HTTP Headers) or may be used for
client-side credentials stealing attacks. Other methods such as PROPFIND and
WebDav-based methods may allow for arbitrary file uploading and should not be
available under normal conditions.

This issue can be considered an Insecure Configuration Management as
described in OWASP Top10 Web Application Vulnerabilities, Section A10: "Web
server and application server configurations play a key role in the security
of a web application. These servers are responsible for serving content and
invoking applications that generate content. In addition, many application
servers provide a number of services that web applications can use, including
data storage, directory services, mail, messaging, and more. Failure to
manage the proper configuration of your servers can lead to a wide variety of
security problems."

我本來以為是要限制主機參數傳遞方法

所以加上以下這些
<Directory />
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>


結果還是一樣會有這個commet

請前輩指導 謝謝

--