[Zope] Webdav security(hole?)question.

Tim Cook tim@freepm.org
Sat, 12 May 2001 14:49:21 -0500


Chris McDonough wrote:
> 
> Hi Antwan,

> That said, I'm suspicious of the claim that via WebDAV, you're able to
> subvert the Zope security policy in any way, because it's the same one
> that's used by "normal" HTTP access.  For example, if you're able to
> change the body of a DTML method via WebDAV on your site, it's likely
> because the permission "Add Documents, Images, and Files" (or perhaps
> "Change DTML Methods") is provided to the Anonymous user respective to
> the object itself.  Likewise, if you can PUT a DTML document into a
> folder as the anonymous user, it's likely because the "Add Documents,
> Images, and Files" permission is provided to the Anonymous User
> respective to the folder.
> 
> Can you provide a specific set of steps using WebDAV that demonstrates a
> subversion of your specific security policy?

I also am suspicious. I have not tried a MS client but did use
cadaver to test WebDav access last week and it prompted for a
password as it should.

Antwan, feel free to hit the DEMO site below and let me know if
you trash my demo <s>.
Thanks,
-- 
Tim Cook, President - FreePM,Inc. 
http://www.FreePM.com Office: (731) 884-4126
ONLINE DEMO: http://www.freepm.org:8080/FreePM