Are there any security issues with allowing the DELETE verb on IIS 6? Does the DELETE verb do anything by default in IIS (ie: can you delete files etc.. with it if security is not set up properly?)
I am working on a REST application and I planned on using the http DELETE verb in certain requests. Our server admins have UrlScan installed and it is set to only allow GET and POST verbs. UrlScan can't selectively allow for certain paths, the rules are simply on or off, so it's enabled for the entire site. They reluctantly enabled DELETE for me, but I don't want to unknowingly open up a security hole.
Best Answer
If the IIS user (if it hasn't been changed from the default localsystem it would be an issue) has the rights to delete, then an attacker could use that access to delete files in the local system. WebDAV works using such a method.
There is a stackoverflow answer dealing with the workarounds of not using PUT and DELETE
https://stackoverflow.com/questions/23963/restful-web-services-and-http-verbs