Problem
Security scanners can identify a potential vulnerability with Desktop and Laptop Option (DLO) related to HTTP OPTIONS method being used with Apache HTTP Server.
Error Message
Example security message : The option method is enabled throughout the application
Cause
N/A
Solution
It is possible to disable the HTTP OPTIONS method in Apache, without impacting DLO functionality.
To do this;
- Download a copy of Curl.exe (which is included in WIn 10/11 client OS builds).
- Open a command prompt to where curl.exe is saved and run the following command;
Curl.exe –i –X OPTIONS http://<web restore URL>:90
- That will produce a result like below and the 'Allow' line shows OPTIONS being displayed.
HTTP/1.1 200 OK
Date: Mon, 08 Oct 2018 15:14:23 GMT
Server: Apache
Allow: OPTIONS,POST,GET,HEAD
Content-Length: 0
Content-Type: text/html
- Open the C:\Program Files\Apache Software Foundation\Apache24\Conf\hpptd.conf file
- Scroll down the contents of that file. Under the <Directory /> section, add the highlighted lines below and save the file:
<Directory />
AllowOverride none
Require all denied
<Limit OPTIONS>
Order deny,allow
Deny from all
</Limit>
</Directory>
- In the command prompt, to where curl.exe is saved, rerun the following command;
Curl.exe –i –X OPTIONS http://<web restore URL>:90
- That will now produce a result like below and the Allow line is now no longer displayed.
HTTP/1.1 200 OK
Date: Mon, 08 Oct 2018 15:14:23 GMT
Server: Apache
Content-Length: 0
Content-Type: text/html
The HTTP OPTIONS is now disabled on the system.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.