Path 'PROPFIND' is forbidden?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2022-12-11 15:42 出处：网络

I am receiving the following error but can\'t seem to make sense out of it within the context that it\'s happening:

I am receiving the following error but can't seem to make sense out of it within the context that it's happening:

Message Path 'PROPFIND' is forbidden. StackTrace at System.Web.HttpMethodNotAllowedHandler.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Google has turned up results that don't seem to have anything to do with my app (this is asp.net开发者_如何学JAVA MVC on IIS6). The site is functioning fine, but I would like to try and catch and handle this error. Thanks.

Ok I think we found the answer, and evidently it's sort of obvious, but I'm not a systems guy so that's my excuse. ;) In using MVC with IIS 6 we have implemented Wildcard Mapping to get the nice extensionless URLs for the site. But the way I understand it, with the wilcard mapping enabled it just processes all the requests as though they were for ASP.net including these WebDAV verbs issued by the people blindly probing for vulnerabilities that 48klocs mentioned.

Is it a public web server? A quick Googling seems to indicate that there was a DOS attack involving PROPFIND and WebDAV. If it's public, you're picking up logs from spray-and-pray drive-by attackers. If it's internal, you've got a bigger head-scratcher.

It could be one of two issues:

PROPFIND is not defined as a permissable verb on the website for the ASP.NET scriptmap.
The server is running UrlScan and does not permit PROPFIND. Check the [AllowVerbs] and [DenyVerbs] sections of c:\Windows\System32\InetSrv\urlscan\UrlScan.ini

We've been seeing these a lot, and have determined that many of them come from Microsoft Office products. In particular, Microsoft Office.

See "How documents are opened from a Web site in Office 2003" for somewhat of an explanation.

I have been able to receive some brief relief by adding a mapping for the DefaultHttpHandler in web.config for those two verbs:

<configuration>
  <system.web>
    <httpHandlers>
      <add verb="*" path="*.mvc" validate="false" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
      <add path="*" verb="OPTIONS, PROPFIND" type="System.Web.DefaultHttpHandler" />
    </httpHandlers>
  </system.web>
</configuration>

This causes the "OPTIONS" request to succeed, and causes a "501 Not Implemented" status to be returned for "PROPFIND".

After 19 failed MS Word 2007 finally decides that it can use a "GET" request to retrieve the file, and that works (the file was acutally being served legitimately).

A little research shows that StaticFileHandler works even better for this. It returns 200 OK for both OPTIONS and PROPFIND verbs, along with what appears to be valid data, as long as the request is targeting an actual resource. When Word probes the folder itself, this returns a 404 Not Found.