Disable http_dav_module in Nginx Web server (version nginx/1.24.0)

Thomas Ward teward at thomas-ward.net
Wed Nov 29 00:42:59 UTC 2023 

Kaushal,

The answer from Sergey is actaully accurate.  You'd have to modify the 
build scripts to exclude the webdav module and then recompile the NGINX 
packaging for your environment.  This is not *hard* but requires more 
knowledge than just NGINX to provide a solution that fits your 
organization.  The pkg-oss repo that Sergey provided a link to provides 
the baseline components necessary to build the open source packages that 
can be used by your system.

You would have to create your own RHEL packages based off the pkg-oss 
repository and then build those packages and install them on your 
corresponding infrastructure.  That will, however, disable the ability 
for you to get updates via the RHEL repositories.

Where did you client get the 'recommendation' from?  Generally speaking, 
most security teams aren't going to be wanting to manually build 
software independently because that can cause issues with security 
updates.  Aditionally, unless WebDAV is enabled in your environment 
(read: *enabled*, not whether installed or not), it shouldn't be doing 
anything.  You can also just disable webdav by giving zero access with a 
single line which then blocks all WebDAV routes.

Also, additionally, refer to this: 
http://nginx.org/en/docs/http/ngx_http_dav_module.html

Specifically, the webdav system / module does NOT intercept methods and 
do WebDAV stuff unless the configuration is set to.

The defaults for the webdav module specify this for the dav methods 
(which in turn tells the module when to actually do something or not 
with the HTTP method received and in turn processing that as WebDAV):

dav_methods off;

When dav_methods is off, which is the default unless you manually set it 
otherwise, all methods are denied to the WebDAV module, per the 
documentation of that directive:  "Allows the specified HTTP and WebDAV 
methods. The parameter |off| denies all methods processed by this module."

You may want to inform your clients' security team the following:

"In order to disable this module, we would have to manually compile the 
software for your environment, which means that you will no longer 
receive security updates, etc. from the RHEL team or repositories.  
Additionally, documentation on this module states that the default setup 
for this module is to be **disabled** regardless of whether this is 
compiled into the binaries or not.  If you really want this module 
disabled, we will have to manually compile NGINX for all your machines, 
and it will then be up to you to apply patches from NGINX for security 
vulnerabilities and issues yourselves."

This achieves the following:

(1) Indicates to your clients that you've researched this issue,

(2) Indicated to your clients that, as you've done your research, you've 
identified that in order to change the compiled-in modules you would be 
required to manually do this per machine and break security patches from 
RHEL, and

(3) During your research, it was uncovered that the presence of this 
module does not by default enable WebDAV functionality, thereby 
eliminating the security risk unless one of your administrators 
configures the WebDAV module for a given site.

It also lets their team determine whether they really want to take on 
the "manually recompile from source every patch" burden, and also that 
their security concerns are mitigated because the webdav methods are 
disabled by default.


Thomas

---

Thomas Ward
IT Security Professional
NGINX Package Maintainer, Debian
NGINX Package Watcher/Maintainer/Helper, Ubuntu


On 11/28/23 11:49, Kaushal Shriyan wrote:
> Hi
>
> On Tue, Nov 28, 2023 at 3:17 AM Sergey A. Osokin <osa at freebsd.org.ru> 
> wrote:
>
>     Hi Kaushal,
>
>     hope you're doing well.
>
>     Would you mind to provide your fillings and concerns, if any, on the
>     ngx_http_dav module.
>
>     It's definitely possible to use the build scripts, available in the
>     pkg-oss repo, [1], update configure options and rebuild the package
>     for your needs.
>
>     References
>     ----------
>     1. https://hg.nginx.org/pkg-oss/
>
>     Thank you.
>
>     -- 
>     Sergey A. Osokin
>
>     On Tue, Nov 28, 2023 at 12:39:47AM +0530, Kaushal Shriyan wrote:
>     > Hi,
>     >
>     > I am running nginx version: nginx/1.24.0 on Red Hat Enterprise Linux
>     > release 8.8 (Ootpa). Is there a way to disable http_dav_module
>     in Nginx Web
>     > server?
>     >
>     > # nginx -v
>     > nginx version: nginx/1.24.0
>     > # cat /etc/redhat-release
>     > Red Hat Enterprise Linux release 8.8 (Ootpa).
>     > #
>     > # nginx -V 2>&1 | grep http_dav_module
>     > configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx
>     > --modules-path=/usr/lib64/nginx/modules
>     --conf-path=/etc/nginx/nginx.conf
>     > --error-log-path=/var/log/nginx/error.log
>     > --http-log-path=/var/log/nginx/access.log
>     --pid-path=/var/run/nginx.pid
>     > --lock-path=/var/run/nginx.lock
>     > --http-client-body-temp-path=/var/cache/nginx/client_temp
>     > --http-proxy-temp-path=/var/cache/nginx/proxy_temp
>     > --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp
>     > --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp
>     > --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx
>     --group=nginx
>     > --with-compat --with-file-aio --with-threads
>     --with-http_addition_module
>     > --with-http_auth_request_module --with-http_dav_module
>     > --with-http_flv_module --with-http_gunzip_module
>     > --with-http_gzip_static_module --with-http_mp4_module
>     > --with-http_random_index_module --with-http_realip_module
>     > --with-http_secure_link_module --with-http_slice_module
>     > --with-http_ssl_module --with-http_stub_status_module
>     > --with-http_sub_module --with-http_v2_module --with-mail
>     > --with-mail_ssl_module --with-stream --with-stream_realip_module
>     > --with-stream_ssl_module --with-stream_ssl_preread_module
>     > --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security
>     > -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
>     > -fstack-protector-strong -grecord-gcc-switches
>     > -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
>     > -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
>     > -fasynchronous-unwind-tables -fstack-clash-protection
>     -fcf-protection
>     > -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
>     >
>     > Please guide me. Thanks in Advance.
>     >
>     > Best Regards,
>     >
>     > Kaushal
>
>     > _______________________________________________
>     > nginx mailing list
>     > nginx at nginx.org
>     > https://mailman.nginx.org/mailman/listinfo/nginx
>     _______________________________________________
>     nginx mailing list
>     nginx at nginx.org
>     https://mailman.nginx.org/mailman/listinfo/nginx
>
>
> Hi Sergey,
>
> I am working with an enterprise customer in financial domain. Their 
> security team have suggested is the below recommendation.
>
> ############################################################################################################
> 2.1.2 Ensure HTTP WebDAV module is not installed (Automated)
> Profile Applicability:
> • Level 2 - Webserver
> • Level 2 - Proxy
> • Level 2 – Loadbalancer
> Description:
> The http_dav_module enables HTTP Extensions for Web Distributed 
> Authoring and Versioning
> (WebDAV) as defined by RFC 4918. This enables file-based operations on 
> your web server, such
> as the ability to create, delete, change and move files on your 
> server. Most modern
> architectures have replaced this functionality with cloud-based object 
> storage, in which case
> the module should not be installed.
> Rationale:
> WebDAV functionality opens up an unnecessary path for exploiting your 
> web server. Through
> misconfigurations of WebDAV operations, an attacker may be able to 
> access and manipulate
> files on the server.
> Audit:
> Run the following command to ensure the http_dav_module is not installed:
> nginx -V 2>&1 | grep http_dav_module
>
> Ensure the output of the command is empty.
> Remediation:
> To remove the http_dav_module, recompile nginx from source without the --
> withhttp_dav_module flag.
> Default Value:
> The HTTP WebDAV module is not installed by default when installing 
> from source. It does come
> by default when installed using dnf.
> ############################################################################################################
> Please guide me further.  Thanks in advance.
>
> Best Regards,
>
> Kaushal
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20231128/621c58d1/attachment-0001.htm>

More information about the nginx mailing list