OHS must restrict access methods.

From Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Associated with: CCI-000366

SV-79129r1_rule OHS must restrict access methods.

Vulnerability discussion

The directive "<LimitExcept>" allows the system administrator to restrict what users may use which methods. An example of methods would be GET, POST and DELETE. These three are the most common used by applications and should be allowed. Methods such as TRACE, if allowed, give an attacker a way to map the system so that vulnerabilities to the system can be researched and developed.

Check content

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "" directive at the directory configuration scope. 3. If the "" directive is omitted (with the exception of the "" directive) or is set improperly, this is a finding.

Fix text

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor. 2. Search for the "" directive at the directory configuration scope. 3. Set the "" directive to "GET POST", add the directive if it does not exist. 4. Within the "" directives, add the directive "Deny" and set it to "from all".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.