WebDAV remote code execution

Description
  • WebDAV is enabled on this server and this directory has write permissions enabled. Acunetix was able to create a test file within this directory using the PUT method. The PUT method is a part of the WebDAV standard for remote content editing. A poorly configured Web server can mistakenly provide remote access to the PUT method without requiring any form of login. Even more, the scanner was able to rename this file to <span class="bb-dark"><strong>filename.asp;.jpg</strong></span> and then execute code in the context of the web server.
Remediation
  • Remove write permissions from this directory or disable WebDAV if it's not being used.
References