Description

WebDAV is enabled on this server and this directory has write permissions enabled. Acunetix was able to create a test file within this directory using the PUT method. The PUT method is a part of the WebDAV standard for remote content editing. A poorly configured Web server can mistakenly provide remote access to the PUT method without requiring any form of login. Even more, the scanner was able to rename this file to filename.asp;.jpg and then execute code in the context of the web server.

Remediation

Remove write permissions from this directory or disable WebDAV if it's not being used.

References

W3C - RFC 2616

Related Vulnerabilities

WordPress Plugin Social Networking & E-commerce Arbitrary File Upload (0.0.32)

Yii debug mode enabled

WordPress Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-14028)

WordPress Plugin Uploader 'uploadify.php' Arbitrary File Upload (1.0.4)

WordPress Plugin Woocommerce Product Designer Arbitrary File Upload (3.0.3)

Severity

High

Classification

CWE-434 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Code Execution