cURL / Mailing Lists / curl-users / Single Mail

curl-users

Unexpected cURL Behavior

From: ShivanX <shivanx_at_gmail.com>
Date: Wed, 24 Jun 2009 10:58:08 -0400

I was wondering if someone could help me in figuring out an issue I had in
the last few months.

I was doing a personal security assessment for a friend's website when I
found that dangerous HTTP methods were being allowed (HTTP PUT and HTTP
DELETE). I created a fake .html file called "test.html" and just put the
word "test" in it. I used "curl -T test.html https://friends-site/" which
uploaded the file successfully. After verifying the HTTP PUT worked, I
decided to check the HTTP DELETE. I used the following command: "curl -X
DELETE https://friends-site/test.html" which did delete the file but also
deleted the entire document root directory. Can someone explain how this
might have happened? The webserver was an IIS6 system. This was a
development staging system but my friend who does his main development on
this server lost some current work he was doing.

Thanks in advance!

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-06-24