RE: [Zope] is WebDAV a security hole?
Been playing around with WebDAV from IE5 connecting to a RedHat 6.1 +Zope 2.1.6 And it seems that quite a bit of the stuff that propably shouldn't be visible can be seen, for example acl_users What other things are you referring to? (see answer for acl_users below) Without being logged in I can start a download of it, eventually IE5 fails, but I get this uncomfortable feeling that this is more due to IE5 not handling this document type than anything else... If I used some other WebDAV client, could I then download acl_users, and if so, would this expose usernames/passwords? It would not expose passwords - I believe that what you are seeing is a sort of non-obvious but basically harmless thing. User folders (acl_users) do not have an index_html method (by design). When a DAV client tries to "download" acl_users, it is actually acquiring the closest index_html from above and downloading that :^) One could argue that this is lame and that attempting to GET .../acl_users/ should raise an error (404?). I'm interested in other viewpoints on this - if there is some consensus, a proposed change should be put in the Collector. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] is WebDAV a security hole?
Brian Lloyd wrote: If I used some other WebDAV client, could I then download acl_users, and if so, would this expose usernames/passwords? It would not expose passwords - I believe that what you are seeing is a sort of non-obvious but basically harmless thing. User folders (acl_users) do not have an index_html method (by design). When a DAV client tries to "download" acl_users, it is actually acquiring the closest index_html from above and downloading that :^) One could argue that this is lame and that attempting to GET .../acl_users/ should raise an error (404?). I'm interested in other viewpoints on this - if there is some consensus, a proposed change should be put in the Collector. Thanx for an informative response! Btw I tried WebDAV vs. www.zope.org and that site refused the connection attempt. Is there some obvious setting that I can use to disable WebDAV, since I don't need it (as far as I know;) regards /Jacob Lundqvist -- Mail: [EMAIL PROTECTED] Phone: +46-708-555 456 ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] is WebDAV a security hole?
Thanx for an informative response! Btw I tried WebDAV vs. www.zope.org and that site refused the connection attempt. Is there some obvious setting that I can use to disable WebDAV, since I don't need it (as far as I know;) DAV won't work for zope.org because it runs behind apache and we've never done the incantation apache requires to let cgi-ish processes handle their own DAV requests. As far as disabling DAV support, there's no real way to do that (except for running behind apache or another server that interferes with DAV requests by default). This really shouldn't be a problem - the extended HTTP methods that provide DAV support all basically have Zope api corollaries, so the DAV methods are protected by the analogous permissions. For example: PROPFIND - manage properties PROPPATCH - manage properties DELETE- delete objects MKCOL - Add folders ...and so on. GET, POST and PUT are used by DAV exactly as in the HTTP spec, so if you can "download" something via DAV then you could also have gotten it with your normal non-DAV aware browser. Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
