This notice comes up when the DELETE method returns a 200 response to the request to delete a file.
Note: it is different than saying it actually deleted. The wording IS careful and accurate. The same test will also try to delete the file, and if it succeeds, report that fact. Here, it tried, but failed to delete, but the server still reported a 200 on the message. Most servers we've seen reporting this have mapped the DELETE action to perform the same function as GET (don't ask me why). Thomas joshua goldfarb wrote: > > I will be having the IIS servers I manage audited by a computer security > company next week. The servers are very secure and I put a lot of time > into keeping them that way. In anticipation of next week's test I ran one > of my vulnerability scans last night using Nessus. Everything checks out > fine with the exception of; > "It seems that the DELETE method is enabled on your web server > Although we could not exploit this, you'd better disable it > Solution : disable this method > Risk factor : Medium > It seems that the DELETE method is enabled on your web server > Although we could not exploit this, you'd better disable it > Solution : disable this method > Risk factor : Medium" > > This is only present on a few of the servers. After some digging on google > I discovered that "methods" such as GET, PUT, DELETE are defined through > IIS script mappings. I have checked out the script mappings on the > machines that show the vulnerability and I cannot find "DELETE" defined in > any of the mappings. I am starting to think it maybe a nessus false > positive but for my own piece of mind is there anywhere else this method > could be disabled? Or is it really a nessus false positive.. > > Thanks > josh -- ------------------------------------------------------------ E-Soft Inc. http://www.e-softinc.com Publishers of SecuritySpace http://www.securityspace.com Tel: 1-905-331-2260 Fax: 1-905-331-2504 Tollfree in North America: 1-800-799-4831
