Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2013-01-29 11:05 AM

HTTP Methods

Hi friends, hope all of you are fine.

This time I have an issue about the HTTP Methods, a client, run some vulnerabilties test in QV Server, and found some non safe methods (PUT, DELETE, TRACE, OPTIONS, MKDIR, CONNECT, RMDIR, PROPATCH, COPY, LOCK)

he ask me if we can close it or disable it.

Does QVWS, use those methods ? if so, does exist a Qliktech technical document, that support the use of those. ?

Or how can I disable that methods.!?

Actually, we are using Qlikview Web server.

Any help , will be appreciate it.

Thanks in advance.

Karim

2,041 Views
0 Likes
6 Replies
danielrozental
Master II
Master II
‎2013-01-29 12:20 PM

You should probably try using IIS as a webserver as it will probably be easier to configure.

929 Views
0 Likes
Not applicable
‎2013-01-29 12:27 PM
Author

It seems that sending an http request to qlikview webserver with another verb than GET or POST always results in "<result><message text='Empty Request'/></result>" responses.

I do not understand what you want to do, how could that be a security problem?

929 Views
0 Likes
Not applicable
‎2013-01-29 06:04 PM
Author

In response to

Thanks,

I can't  back, and install IIS, because the client doesn't want it.

The IT security department ran a test and wrote me this,

Insecure HTTP methods like PUT, DELETE, TRACE, OPTIONS, MKDIR, CONNECT, RMDIR, PROPATCH, COPY, LOCK. Are enabled. Or at least one of them.

Vulnerability risks.

"the attacker could use any of these HTTP methods to query, create, delete files within the server, as well as the ability to upload a file Shell and complete information about the server."

929 Views
0 Likes
rwunderlich
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2013-01-29 07:12 PM

In response to

It sounds like a boilerplate security review question. I would ask support or your salesep for the "standard response" from Qliktech.

As jgeorge pointed out, usng any other verb does nothing useful and returns a standard result. The IT security dept is probably reacting to the fact that the server did not reject those requests. But they overlooked the fact the server does nothing useful with those requests.

-Rob

929 Views
0 Likes
Anonymous
Not applicable
‎2015-06-26 03:13 AM
Author

Did u get correct solution? Anybody?

929 Views
0 Likes
Anonymous
Not applicable
‎2015-06-26 03:26 AM
Author

In response to rwunderlich

QlikTech has given any response to this topic?

929 Views
0 Likes