Disable http_dav_module in Nginx Web server (version nginx/1.24.0)

Kaushal Shriyan kaushalshriyan at gmail.com
Tue Nov 28 16:49:41 UTC 2023


Hi

On Tue, Nov 28, 2023 at 3:17 AM Sergey A. Osokin <osa at freebsd.org.ru> wrote:

> Hi Kaushal,
>
> hope you're doing well.
>
> Would you mind to provide your fillings and concerns, if any, on the
> ngx_http_dav module.
>
> It's definitely possible to use the build scripts, available in the
> pkg-oss repo, [1], update configure options and rebuild the package
> for your needs.
>
> References
> ----------
> 1. https://hg.nginx.org/pkg-oss/
>
> Thank you.
>
> --
> Sergey A. Osokin
>
> On Tue, Nov 28, 2023 at 12:39:47AM +0530, Kaushal Shriyan wrote:
> > Hi,
> >
> > I am running nginx version: nginx/1.24.0 on Red Hat Enterprise Linux
> > release 8.8 (Ootpa). Is there a way to disable http_dav_module in Nginx
> Web
> > server?
> >
> > # nginx -v
> > nginx version: nginx/1.24.0
> > # cat /etc/redhat-release
> > Red Hat Enterprise Linux release 8.8 (Ootpa).
> > #
> > # nginx -V 2>&1 | grep http_dav_module
> > configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
> > --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf
> > --error-log-path=/var/log/nginx/error.log
> > --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid
> > --lock-path=/var/run/nginx.lock
> > --http-client-body-temp-path=/var/cache/nginx/client_temp
> > --http-proxy-temp-path=/var/cache/nginx/proxy_temp
> > --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
> > --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
> > --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
> --group=nginx
> > --with-compat --with-file-aio --with-threads --with-http_addition_module
> > --with-http_auth_request_module --with-http_dav_module
> > --with-http_flv_module --with-http_gunzip_module
> > --with-http_gzip_static_module --with-http_mp4_module
> > --with-http_random_index_module --with-http_realip_module
> > --with-http_secure_link_module --with-http_slice_module
> > --with-http_ssl_module --with-http_stub_status_module
> > --with-http_sub_module --with-http_v2_module --with-mail
> > --with-mail_ssl_module --with-stream --with-stream_realip_module
> > --with-stream_ssl_module --with-stream_ssl_preread_module
> > --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security
> > -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
> > -fstack-protector-strong -grecord-gcc-switches
> > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> > -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> > -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
> >
> > Please guide me. Thanks in Advance.
> >
> > Best Regards,
> >
> > Kaushal
>
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx


Hi Sergey,

I am working with an enterprise customer in financial domain. Their
security team have suggested is the below recommendation.

############################################################################################################
2.1.2 Ensure HTTP WebDAV module is not installed (Automated)
Profile Applicability:
• Level 2 - Webserver
• Level 2 - Proxy
• Level 2 – Loadbalancer
Description:
The http_dav_module enables HTTP Extensions for Web Distributed Authoring
and Versioning
(WebDAV) as defined by RFC 4918. This enables file-based operations on your
web server, such
as the ability to create, delete, change and move files on your server.
Most modern
architectures have replaced this functionality with cloud-based object
storage, in which case
the module should not be installed.
Rationale:
WebDAV functionality opens up an unnecessary path for exploiting your web
server. Through
misconfigurations of WebDAV operations, an attacker may be able to access
and manipulate
files on the server.
Audit:
Run the following command to ensure the http_dav_module is not installed:
nginx -V 2>&1 | grep http_dav_module

Ensure the output of the command is empty.
Remediation:
To remove the http_dav_module, recompile nginx from source without the --
withhttp_dav_module flag.
Default Value:
The HTTP WebDAV module is not installed by default when installing from
source. It does come
by default when installed using dnf.
############################################################################################################

Please guide me further.  Thanks in advance.

Best Regards,

Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20231128/0accdcdd/attachment.htm>


More information about the nginx mailing list