[Zope] Summary: Webdav security(hole?)question.
Mon, 14 May 2001 11:11:27 +0200
Hi All, Chris (suspicious), Tim (FreePM), Joachim (Explorere remembers
Thanks for contributions on the WebDAV thread. I digged a little into it,
and I can now shamefully say that my observations on WebDAV were not
completely correct (blush). So here is my summary:
Thanks to Chris and Tim, I re-examined the security-policy of my
Zopeserver. And was very surprized to see that the access contents
information permission was default assigned to role anonymous. I changed
this immediately. This put me in the wrong direction: after changing my
manager-passwordt, I could still browse through my Zope-site with
WebFolder, without being asked for a new password. I understand this now...
I changed from manager to anonymous from the perspective of the WebFolder,
and anonymous could browse through the system. Because I saw no change in
behaviour on the WebFolder side, I thought nothing had changed. But it did:
I could'nt write or change files anymore: here the long awaited
username/password dialog finally showed up. Phew... sorry about this, I
should have examined this more carefully... My preliminary false conclusion
was by the way supported by the fact that the first windows2000 site I
tried to access via WebDAV was completely open (yes, with write supported),
no password required...
Chris and Tim: I agree completely with you that the securitypolicy via
WebDAV should be the same as via the http methods.
Tim: of course, I could not gain access to FreePM ;-)
Joachim: thanks to your email I understand why my new Zope installation
(2.3.1 -> 2.3.2) did not require new authentication via WebDAV. Thanks Bill
So: thank you all very much. I will creep back in my hole, and go shame
Goodbey! Greetings, Antwan.
>I have a weird security problem with my Zope installation. I'm now running
>Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1.
>I installed a Webfolder in my explorer, to gain access via Webdav to the
>Zope Server. It did'nt require a username/password to gain full access to
>the server... I tried to change my password from within Zope, but that
>did'nt change a thing... I can walk in, without authentication needed...!
>I was worried about this, so I decided to test Webdav on some
>Windows2000/IIS5 servers on internet too, to see if they required
>authentication. And a shocking 1 out of 4 servers I tried, where
>completely open to Webdav... I could retrieve directory listings, and I
>also had WRITE privileges. Some very important, large websites contain
>How is this possible???? How can I fix this hole in my Zope installation?
>Can I disable Webdav access completely, if there is no short term solution?
>Any help is greatly appreciated.
>Thanks in advance, greetings, Antwan Reijnen.