Is simply looking at the result of OPTIONS * enough for Apache?
Should webdav_enabled.nasl also check the Server: line to see if the DAV module has been included?
Apache doesn't follow the definition of OPTIONS * and report the overall capability of the web server.
On my server I have included the DAV module
LoadModule dav_module libexec/httpd/libdav.so
AddModule mod_dav.c
However, "DAV On" is not included at the document root; "DAV On" is included on a lower directory "/project/edit/". If you query OPTIONS * for the web server there is no "DAV:" line. If you query OPTIONS /project/edit/ then the response does include the "DAV:" line.
So, with Apache the OPTIONS * cannot be relied upon to report the overall capability of the web server. You only find out about WebDAV if you query the options for a directory that actually has "DAV On".
Of course, it is likely that most administrators don't realise that they can specify "DAV On" for individual directories. I expect most administrators simply set "DAV On" at the document root.
Now, even though OPTIONS * does not tell you that WebDAV is included it is still possible to tell that the DAV module has been included in Apache as its name appears in the Server: line. For example, from my system "Server: Apache/1.3.33 DAV/1.0.3".
So, should webdav_enabled.nasl also check for " DAV/" in the response?
Dennis.
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Should webdav_enabled.nasl also check the Server: line to see if the DAV module has been included?
Apache doesn't follow the definition of OPTIONS * and report the overall capability of the web server.
On my server I have included the DAV module
LoadModule dav_module libexec/httpd/libdav.so
AddModule mod_dav.c
However, "DAV On" is not included at the document root; "DAV On" is included on a lower directory "/project/edit/". If you query OPTIONS * for the web server there is no "DAV:" line. If you query OPTIONS /project/edit/ then the response does include the "DAV:" line.
So, with Apache the OPTIONS * cannot be relied upon to report the overall capability of the web server. You only find out about WebDAV if you query the options for a directory that actually has "DAV On".
Of course, it is likely that most administrators don't realise that they can specify "DAV On" for individual directories. I expect most administrators simply set "DAV On" at the document root.
Now, even though OPTIONS * does not tell you that WebDAV is included it is still possible to tell that the DAV module has been included in Apache as its name appears in the Server: line. For example, from my system "Server: Apache/1.3.33 DAV/1.0.3".
So, should webdav_enabled.nasl also check for " DAV/" in the response?
Dennis.
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers