Welcome! Log In Create A New Profile

Re: Disable http_dav_module in Nginx Web server (version nginx/1.24.0)

Forum List Message List New Topic Print View

kaushalshriyan

November 28, 2023 11:50AM

Registered: 5 years ago
Posts: 94

Hi

On Tue, Nov 28, 2023 at 3:17 AM Sergey A. Osokin <osa@freebsd.org.ru> wrote:

> Hi Kaushal,
>
> hope you're doing well.
>
> Would you mind to provide your fillings and concerns, if any, on the
> ngx_http_dav module.
>
> It's definitely possible to use the build scripts, available in the
> pkg-oss repo, [1], update configure options and rebuild the package
> for your needs.
>
> References
> ----------
> 1. https://hg.nginx.org/pkg-oss/
>
> Thank you.
>
> --
> Sergey A. Osokin
>
> On Tue, Nov 28, 2023 at 12:39:47AM +0530, Kaushal Shriyan wrote:
> > Hi,
> >
> > I am running nginx version: nginx/1.24.0 on Red Hat Enterprise Linux
> > release 8.8 (Ootpa). Is there a way to disable http_dav_module in Nginx
> Web
> > server?
> >
> > # nginx -v
> > nginx version: nginx/1.24.0
> > # cat /etc/redhat-release
> > Red Hat Enterprise Linux release 8.8 (Ootpa).
> > #
> > # nginx -V 2>&1 | grep http_dav_module
> > configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
> > --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf
> > --error-log-path=/var/log/nginx/error.log
> > --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx..pid
> > --lock-path=/var/run/nginx.lock
> > --http-client-body-temp-path=/var/cache/nginx/client_temp
> > --http-proxy-temp-path=/var/cache/nginx/proxy_temp
> > --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
> > --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
> > --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
> --group=nginx
> > --with-compat --with-file-aio --with-threads --with-http_addition_module
> > --with-http_auth_request_module --with-http_dav_module
> > --with-http_flv_module --with-http_gunzip_module
> > --with-http_gzip_static_module --with-http_mp4_module
> > --with-http_random_index_module --with-http_realip_module
> > --with-http_secure_link_module --with-http_slice_module
> > --with-http_ssl_module --with-http_stub_status_module
> > --with-http_sub_module --with-http_v2_module --with-mail
> > --with-mail_ssl_module --with-stream --with-stream_realip_module
> > --with-stream_ssl_module --with-stream_ssl_preread_module
> > --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security
> > -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
> > -fstack-protector-strong -grecord-gcc-switches
> > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> > -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> > -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
> >
> > Please guide me. Thanks in Advance.
> >
> > Best Regards,
> >
> > Kaushal
>
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx

Hi Sergey,

I am working with an enterprise customer in financial domain. Their
security team have suggested is the below recommendation.

############################################################################################################
2.1.2 Ensure HTTP WebDAV module is not installed (Automated)
Profile Applicability:
• Level 2 - Webserver
• Level 2 - Proxy
• Level 2 – Loadbalancer
Description:
The http_dav_module enables HTTP Extensions for Web Distributed Authoring
and Versioning
(WebDAV) as defined by RFC 4918. This enables file-based operations on your
web server, such
as the ability to create, delete, change and move files on your server.
Most modern
architectures have replaced this functionality with cloud-based object
storage, in which case
the module should not be installed.
Rationale:
WebDAV functionality opens up an unnecessary path for exploiting your web
server. Through
misconfigurations of WebDAV operations, an attacker may be able to access
and manipulate
files on the server.
Audit:
Run the following command to ensure the http_dav_module is not installed:
nginx -V 2>&1 | grep http_dav_module

Ensure the output of the command is empty.
Remediation:
To remove the http_dav_module, recompile nginx from source without the --
withhttp_dav_module flag.
Default Value:
The HTTP WebDAV module is not installed by default when installing from
source. It does come
by default when installed using dnf.
############################################################################################################

Please guide me further. Thanks in advance.

Best Regards,

Kaushal
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Disable http_dav_module in Nginx Web server (version nginx/1.24.0)	kaushalshriyan	November 27, 2023 02:10PM
Re: Disable http_dav_module in Nginx Web server (version nginx/1.24.0)	Maxim Dounin	November 27, 2023 04:46PM
Re: Disable http_dav_module in Nginx Web server (version nginx/1.24.0)	Sergey A. Osokin	November 27, 2023 04:48PM
Re: Disable http_dav_module in Nginx Web server (version nginx/1.24.0)	kaushalshriyan	November 28, 2023 11:50AM
Re: Disable http_dav_module in Nginx Web server (version nginx/1.24.0)	Thomas Ward via nginx	November 28, 2023 07:44PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 272

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018