Many web developers are familiar with the GET and POST methods of allowing a user to submit data to a web application. Lesser known is the PUT method, which allows a user to upload files and turn them automatically into new URL's.
Security & HTTP PUT
Many web developers are familiar with the GET and POST methods of allowing a user to submit data to a web application. Lesser known is the PUT method, which allows a user to upload files and turn them automatically into new URL's.
PUT can be dangerous if it is not properly locked down. In the worst case scenario, imagine a website allows anyone to PUT data. An attacker could craft a special php script which would add a new user account to the server with root (admin) access. The attacker then performs an HTTP PUT with this file, and a new URL would be formed. When the attacker navigates to this URL, the PHP file is executed by the web server, and can modify any files the web user on the system has access to, including existing web pages.
Sometimes PUT is a useful part of a web application. The key is making sure only authenticated users have access, and those authenticated users are carefully limited so only trusted users are allowed to perform PUT's. In this way, the PUT users are trusted as if they had an account on the server itself, and were able to upload or modify files via other methods, such as FTP.
If PUT requests are accepted by non-trusted accounts (generally non-administrator) or the web browsing public, then this will allow an attacker to take complete control of your site and possibly the entire web server as well.
If your website does not require PUT functionality, then it is recommended to switch to another secure protocol which uses specific user logins, such as SFTP. If PUT is needed for the application, be sure to lock down all users. A double authentication is the best method of ensuring this type of functionality - first with a web user login, and also with HTTP authentication.
In this manner, users will be named and limited in who can perform PUT requests.