Package: davmail Version: 5.5.1.3299-5 Hi,
Our automated security scanner happened accross our davmail's calendar TCP port, and complains that it lists the DELETE method when asked for OPTIONS, thinking that this is a security hole "The Web server contains a flaw that may allow a remote attacker to delete arbitrary files by using the HTTP method 'DELETE', resulting in a loss of integrity". Well obviously, for a calendar, this is not a problem (it should be possible to cancel events, after all), but the scanner does have a point: normally this should only be available for users that are *authenticated*. However, this is not the case: $ alain@ceres:~$ openssl s_client -connect localhost:2443 OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Server: DavMail Gateway 5.5.1-trunk DAV: 1, calendar-access, calendar-auto-schedule, calendarserver-private-events, addressbook Date: Mon, 06 Feb 2023 13:47:07 +0000 Expires: Mon, 06 Feb 2023 13:47:07 +0000 Cache-Control: private, max-age=0 Allow: OPTIONS, PROPFIND, HEAD, GET, REPORT, PROPPATCH, PUT, DELETE, POST Connection: keep-alive Content-Length: 0 IMHO, methods that imply write operations should only be listed if a valid Authorization header has been sent by client. Thanks, -- Alain Knaff Ingénieur Informaticien LE GOUVERNEMENT DU GRAND-DUCHÉ DE LUXEMBOURG Ministère de l'Environnement, du Climat et du Développement durable Administration de l'environnement 1, avenue du Rock'n'Roll . L-4361 Esch-sur-Alzette Tél. (+352) 40 56 56-309 E-Mail: alain.kn...@aev.etat.lu www.emwelt.lu . www.environnement.public.lu . www.luxembourg.lu
