Page 1 of 1

Preventing PROPFIND requests

Posted: Mon Sep 18, 2006 11:19 am
by RobertGonzalez
I was asked this morning if there is a way to prevent the PROPFIND request method on Apache. After reading up on it, it seems as though PROPFIND (and PROPATCH) are parts of the WebDAV module and they are used for file manipulation and versioning. If I am incorrect in this assessment, please correct me.

I also noticed, when looking through the access logs, that there are numerous calls to PROPFIND (that all meet a 405 server response). My question is, is there a way to not allow a PROPFIND request? I have a section of a sample httpd.conf file, but I am not sure what to do with it. Any help would be much appreciated.

From the access logs (**** are used to replace actual directory names that I cannot show):

Code: Select all

69.109.252.201 - - [16/Sep/2006:00:00:02 -0700] "PROPFIND /**** HTTP/1.1" 405 22869
69.109.252.201 - - [16/Sep/2006:00:00:23 -0700] "PROPFIND /**** HTTP/1.1" 405 22869
69.109.252.201 - - [16/Sep/2006:00:00:33 -0700] "PROPFIND /**** HTTP/1.1" 405 22869
66.234.220.62 - - [16/Sep/2006:01:41:31 -0700] "PROPFIND /SysVol HTTP/1.1" 405 22869
66.234.220.62 - - [16/Sep/2006:01:41:31 -0700] "PROPFIND /SysVol HTTP/1.1" 405 22869
71.202.249.191 - - [16/Sep/2006:07:01:06 -0700] "PROPFIND /SysVol HTTP/1.1" 405 22869
71.202.249.191 - - [16/Sep/2006:07:01:06 -0700] "PROPFIND /**** HTTP/1.1" 405 22869
71.202.249.191 - - [16/Sep/2006:07:01:06 -0700] "PROPFIND /SysVol HTTP/1.1" 405 22869
71.202.249.191 - - [16/Sep/2006:07:01:08 -0700] "PROPFIND /**** HTTP/1.1" 405 22869
Sample http.conf text:

Code: Select all

# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
# You must correct the path for the root to match your system's configured
# user directory location, e.g. "C:/WinNT/profiles/*/My Documents/My Website"
# or whichever, as appropriate.
#
#<Directory "C:/Documents and Settings/*/My Documents/My Website">
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS PROPFIND>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS PROPFIND>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>

Posted: Mon Sep 18, 2006 2:51 pm
by nickvd
Try removing the dav module from apache's config file...
i.e:

Code: Select all

#LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so

Posted: Mon Sep 18, 2006 4:04 pm
by RobertGonzalez
Is the DAV module a required module for anything?

Posted: Tue Sep 19, 2006 1:11 pm
by nickvd
Not to my knowledge, and it's not enabled on my setup..

I'm sure it is required for something but i've never had it turned on (aside from mod_dav_svn, for subversion, but that's a completely separate module).

Posted: Tue Sep 19, 2006 1:12 pm
by RobertGonzalez
Ok, I will look into it. Thanks for the advice.