logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Unauthorised Use of Post method
Author
P78$



Joined: 27 Oct 2021
Posts: 1

PostPosted: Thu 28 Oct '21 4:52    Post subject: Unauthorised Use of Post method Reply with quote

Hi,

Every now and then I have observed the following or similar entries in my website access log file:

"POST / HTTP/1.1" 200 824 “-“

Q 1: How can someone successfully use Post method without permissions?

Q2: How can I stop unauthorised use of Post method?

Q3: How can I find what has been unauthorisedly posted on my websites?

Thanks and regards,
Abha
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 135
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Thu 28 Oct '21 7:38    Post subject: Reply with quote

Hello and good morning Abha,

1. What is "without permissions"? You can configure your apache to request basic-authentication from the browser/requesting entity. Or you can do some stuff within your application to present a login-window and handle the authentication using a session-storage (i.e. built in into PHP). But it seems that it is not working as expected by you? But without knowledge what you have done there is nearly no possible way to give hints what to do.

2. As I don't know the server/the application/the persons/entities using the service there is no clear advice and a lot of possible answers - each with their pros and cons. You can create firewall-rules to allow only a defined network-range/ip-address to access. You can do the same within Apache's config. You can configure Apache to use Basic-Authentication (or some other authentication/authorization-method provided by Apache). You can create some session-handling within your application and deny all other requests. ...

3. you can configure what is inside a log-entry Apache writes to access.log - keyword is LogFormat.
The default-settings is fine in most cases and for me the result looks like this:
Code:
10.1.1.1 - - [28/Oct/2021:07:08:51 +0200] "GET /[...url_requested...] HTTP/2.0" 200 66 "https://[...referrer...]" "[...browser_string...]"

Where 10.1.1.1 is (in my example) the client's ip-address. This gives at least a hint which machine POSTed some data to your server. The timestamps are a hint if it is done by a cron-job (every x minutes/hours) or maybe by a human (only office-hours; no recurring interval recognizable)



Or is your question a little simpler: somebody is using POST where only GET should be allowed? You can configure Apache to allow only some verbs (GET, POST, HEAD, PUT, DELETE, ...) and deny the others. Then this might be the answer or at least a hint what to do next: https://stackoverflow.com/questions/40914743/apache-limitexcept-only-to-get-and-post-methods

Best regards
Matthias[/b]
Back to top


Reply to topic   Topic: Unauthorised Use of Post method View previous topic :: View next topic
Post new topic   Forum Index -> Apache