2.7.3. WebDAV | HEX博客

2.7.3.1. 简介

WebDAV （Web-based Distributed Authoring and Versioning）一种基于 HTTP 1.1协议的通信协议。它扩展了HTTP 1.1，在GET、POST、HEAD等几个HTTP标准方法以外添加了一些新的方法，使应用程序可对Web Server直接读写，并支持写文件锁定、解锁，以及版本控制等功能。

支持的方法具体为：

OPTIONS
- 获取服务器的支持
GET / PUT / POST / DELETE
- 资源操作
TRACE
- 跟踪服务器
HEAD
MKCOL
- 创建集合
PROPFIND / PROPPATCH
COPY / MOVE
LOCK / UNLOCK

2.7.3.2. 相关CVE

CVE-2015-1833
- Apache Jacrabbit WebDav XXE
- http://www.securityfocus.com/archive/1/535582
CVE-2015-7326
- Milton WebDav XXE
- http://www.securityfocus.com/archive/1/536813

2.7.3.3. 参考链接

2.7.3.3.1. RFC

RFC 3253 Versioning Extensions to WebDAV (Web Distributed Authoring and Versioning)
RFC 3648 Web Distributed Authoring and Versioning (WebDAV) Ordered Collections Protocol
RFC 3744 Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol
RFC 4437 Web Distributed Authoring and Versioning (WebDAV) Redirect Reference Resources
RFC 4918 HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)
RFC 5323 Web Distributed Authoring and Versioning (WebDAV) SEARCH
RFC 5842 Binding Extensions to Web Distributed Authoring and Versioning (WebDAV)

2.7.3.3.2. Blog

What should a hacker know about WebDav