Details
The Apache ‘mod_dav’ and ‘mod_dav_fs’ modules support WebDAV (‘Web-based Distributed Authoring and Versioning’) functionality for Apache. WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server.
Rationale:
WebDAV is not widely used, and it has serious security concerns because it may allow clients to modify unauthorized files on the web server. Therefore, the WebDav modules ‘mod_dav’ and ‘mod_dav_fs’ should be disabled.
Solution
Perform either one of the following to disable the WebDAV modules:
1. For source builds with static modules, run the Apache ‘./configure’ script without including ‘mod_dav’ and ‘mod_dav_fs’ in the ‘–enable-modules=configure’ script options.
$ cd $DOWNLOAD/httpd-2.2.22
$ ./configure
2. For dynamically loaded modules, comment out or remove the ‘LoadModule’ directive for the ‘mod_dav’ and ‘mod_dav_fs’ modules from the ‘httpd.conf’ file.
##LoadModule dav_module modules/mod_dav.so
##LoadModule dav_fs_module modules/mod_dav_fs.so
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.