[Zope] is WebDAV a security hole?
Jacob Lundqvist
jaclu@galdrion.com
Mon, 05 Jun 2000 19:40:51 +0200
Brian Lloyd wrote:
> > If I used some other WebDAV client, could I then download
> > acl_users, and
> > if so, would this expose usernames/passwords?
>
> It would not expose passwords - I believe that what you are seeing
> is a sort of non-obvious but basically harmless thing. User folders
> (acl_users) do not have an index_html method (by design). When a
> DAV client tries to "download" acl_users, it is actually acquiring
> the closest index_html from above and downloading that :^) One
> could argue that this is lame and that attempting to GET
> .../acl_users/ should raise an error (404?). I'm interested in
> other viewpoints on this - if there is some consensus, a proposed
> change should be put in the Collector.
Thanx for an informative response!
Btw I tried WebDAV vs. www.zope.org and that site refused the connection
attempt.
Is there some obvious setting that I can use to disable WebDAV, since I
don't need it (as far as I know;)
regards /Jacob Lundqvist
--
Mail: Jaclu@galdrion.com
Phone: +46-708-555 456