-
Title
HTTP Delete Method Enabled Vulnerability -
Description
Third party vulnerability scanners report HTTP Delete method enabled as a vulnerability in the KACE System Management Appliance. -
Resolution
HTTP DELETE is not a Vulnerability for the KACE SMA product.
The KACE SMA allows the DELETE method because our RESTful API uses it, not the web server itself. However, the DELETE method was considered unsafe because the original purpose of this method was to delete files on the web server.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/DELETE
Nowadays, the DELETE method is often used in RESTful API. The use of DELETE in the API requires authentication and an API key.
API access can be restricted in the KACE SMA by navigating to Settings | Access Control List, select under the destination dropdown the API option and define the address(es) and subnet allowed (i.e. to prevent all external api access set IP address to 127.0.0.1).
Please note this will also prevent KACE GO app users from being able to connect to the appliance.