| Vulnerability Description |
The HTTP RFC allows a restricted set of HTTP methods. However, even some of the standard methods are unsafe, because they can be used to exploit vulnerabilities on a web server. Many of the non-standard methods have a very bad security record. Microsoft WebDAV methods, for example, have certain security issues, as discussed in the IPS Advisories page. |
| Vulnerability Details | Web Intelligence divides the HTTP methods into three groups: Standard safe (GET, HEAD and POST), standard unsafe (the other standard HTTP methods), and WebDAV. By default, all methods are blocked other than the standard safe methods.
To allow users access to popular applications such as Microsoft Hotmail, Outlook Web Access, and FrontPage, the non-RFC compliant WebDAV HTTP methods can be allowed.
It is possible to choose exactly which methods to block. For example, if only GET and POST methods are allowed, and all others are blocked, the following HTTP request using a WebDAV method will be rejected: MKCOL / HTTP/1.0 |
Feedback