[Zope] is WebDAV a security hole?
Brian Lloyd
Brian@digicool.com
Mon, 5 Jun 2000 11:08:19 -0400
> Been playing around with WebDAV from IE5 connecting to a RedHat 6.1
> +Zope 2.1.6
>
> And it seems that quite a bit of the stuff that propably shouldn't be
> visible can be seen,
> for example acl_users
What other things are you referring to? (see answer for acl_users
below)
>
> Without being logged in I can start a download of it, eventually IE5
> fails, but I get this uncomfortable feeling that this is more
> due to IE5
> not handling this document type than anything else...
>
> If I used some other WebDAV client, could I then download
> acl_users, and
> if so, would this expose usernames/passwords?
It would not expose passwords - I believe that what you are seeing
is a sort of non-obvious but basically harmless thing. User folders
(acl_users) do not have an index_html method (by design). When a
DAV client tries to "download" acl_users, it is actually acquiring
the closest index_html from above and downloading that :^) One
could argue that this is lame and that attempting to GET
.../acl_users/ should raise an error (404?). I'm interested in
other viewpoints on this - if there is some consensus, a proposed
change should be put in the Collector.
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com