因为之前主机网页有遭受入侵 当作跳板 所以重新安装後 使用N-Stalker这套先扫扫看有没有什麽漏洞 其中有一项是 Comments An insecure HTTP method has been detected as available in the Web Server side and may be exploited under certain conditions. Although it may varies accordingly to the situation, HTTP methods others than GET, POST and HEAD are not common and should be evaluated before being made public available on production-level Web Servers. Some problems may arise because of information leakage problem such as TRACE method (that may reveal internal private HTTP Headers) or may be used for client-side credentials stealing attacks. Other methods such as PROPFIND and WebDav-based methods may allow for arbitrary file uploading and should not be available under normal conditions. This issue can be considered an Insecure Configuration Management as described in OWASP Top10 Web Application Vulnerabilities, Section A10: "Web server and application server configurations play a key role in the security of a web application. These servers are responsible for serving content and invoking applications that generate content. In addition, many application servers provide a number of services that web applications can use, including data storage, directory services, mail, messaging, and more. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems." 我本来以为是要限制主机参数传递方法 所以加上以下这些 <Directory /> <Limit GET POST OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS> Order deny,allow Deny from all </LimitExcept> </Directory> 结果还是一样会有这个commet 请前辈指导 谢谢 --

※ 发信站: 批踢踢实业坊(ptt.cc) ◆ From: 134.208.2.224