Home Path 'PROPFIND' is forbidden?
Reply: 4

Path 'PROPFIND' is forbidden?

Graham Conzett
Graham Conzett Published in 2009-11-18 15:46:20Z

I am receiving the following error but can't seem to make sense out of it within the context that it's happening:

Message Path 'PROPFIND' is forbidden. StackTrace at System.Web.HttpMethodNotAllowedHandler.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Google has turned up results that don't seem to have anything to do with my app (this is asp.net MVC on IIS6). The site is functioning fine, but I would like to try and catch and handle this error. Thanks.

48klocs Reply to 2009-11-18 15:59:08Z

Is it a public web server? A quick Googling seems to indicate that there was a DOS attack involving PROPFIND and WebDAV. If it's public, you're picking up logs from spray-and-pray drive-by attackers. If it's internal, you've got a bigger head-scratcher.

Kev Reply to 2009-11-19 05:47:30Z

It could be one of two issues:

  1. PROPFIND is not defined as a permissable verb on the website for the ASP.NET scriptmap.
  2. The server is running UrlScan and does not permit PROPFIND. Check the [AllowVerbs] and [DenyVerbs] sections of c:\Windows\System32\InetSrv\urlscan\UrlScan.ini
Graham Conzett
Graham Conzett Reply to 2009-11-22 04:37:18Z

Ok I think we found the answer, and evidently it's sort of obvious, but I'm not a systems guy so that's my excuse. ;) In using MVC with IIS 6 we have implemented Wildcard Mapping to get the nice extensionless URLs for the site. But the way I understand it, with the wilcard mapping enabled it just processes all the requests as though they were for ASP.net including these WebDAV verbs issued by the people blindly probing for vulnerabilities that 48klocs mentioned.

John Saunders
John Saunders Reply to 2011-10-29 02:11:46Z

We've been seeing these a lot, and have determined that many of them come from Microsoft Office products. In particular, Microsoft Office.

See "How documents are opened from a Web site in Office 2003" for somewhat of an explanation.

I have been able to receive some brief relief by adding a mapping for the DefaultHttpHandler in web.config for those two verbs:

      <add verb="*" path="*.mvc" validate="false" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
      <add path="*" verb="OPTIONS, PROPFIND" type="System.Web.DefaultHttpHandler" />

This causes the "OPTIONS" request to succeed, and causes a "501 Not Implemented" status to be returned for "PROPFIND".

After 19 failed MS Word 2007 finally decides that it can use a "GET" request to retrieve the file, and that works (the file was acutally being served legitimately).

A little research shows that StaticFileHandler works even better for this. It returns 200 OK for both OPTIONS and PROPFIND verbs, along with what appears to be valid data, as long as the request is targeting an actual resource. When Word probes the folder itself, this returns a 404 Not Found.

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.298527 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO