[Zope] WebDAV's not really the problem...

Chris Withers chrisw@nipltd.com
Fri, 29 Sep 2000 12:51:37 +0100

JXlio Dinis Silva wrote:
> I think zope MUST have a way to disable webdav access.
> Running a webdav client on some zope sites I found in almost all
> of them things like test_html index_html_old and some other
> forgiven methods that programmers leave on their applications.
> Depending on what test programmers were doing in this methods
> one could find a way to do some DOS on does sites, just to begin.

Yes, your fears are valid, but WebDAV really isn't the problem. Zope, at
a deeper level, is what is causing your problem.
You can find out the above information using any web browser, try this:


I see they haven't deleted the QuickStart. Interesting... As you point
out, once you know the names of methods and the like (see
http://www.cbsnewyork.com/objectValues to find out what type objects
are, funny... objectItems, which would be slightly more useful, isn't
actually URL traversable...), you can do DOS attacks... more
interestingly, if you find a method that is anonymously accessible but
with some cool proxy roles (maybe because it needs to be like that), you
can see if you can cause bad things to happen (like deleting data) by
passing in interesting parameters (remember, Zope handily pops the
traceback in the response, even in production mode, so you can tell what
parameter you left out ;-)

Anyway, enough of the problem... possible solutions:

1. Hack the Zope code so the traceback isn't appended to your HTML in
production mode

2. Give anything you don't want to be traversable a prefix like i_ and
then use Apache to screen these out, along with */manage*.

3. Setup a decent firewall to prevent XML-RPC, FTP and WebDAV access to
your Zope server, except by people you trust.

It's a hard problem to solve, made harder by the fact that Zope supports
loads of protocols and is totally manageable through the web. These are
Zope's strengths, but they do raise itneresting problems :-S