[ZWeb] Re: [ZOC] 68/ 1 Request "WebDAV allows complete listings
of the site"
Andreas Jung
Andreas Jung <andreas@andreas-jung.com>
Sat, 05 Apr 2003 14:51:32 +0200
For Zope 2.7 I changed the the Webdav access permission so that by
default only Managers and Authenticated users are allowed to access Zope.
-aj
--On Samstag, 5. April 2003 9:43 Uhr -0300 Sidnei da Silva
<sidnei@x3ng.com> wrote:
> On Sat, Apr 05, 2003 at 07:34:54AM -0500, Collector: NEW Zope.org (the
> ... wrote:
>| Issue #68 Update (Request) "WebDAV allows complete listings of the site"
>| ** Security Related ** (Confidential)
>| Status Pending_confidential, content/bug critical
>| To followup, visit:
>| http://collector.zope.org/ZopeOrg/68
>|
>| ==============================================================
>| = Request - Entry #1 by efge on Apr 5, 2003 7:34 am
>|
>|
>| Uploaded: "zope-propfind.txt"
>| - http://collector.zope.org/ZopeOrg/68/zope-propfind.txt/view
>| Using Nautilus from Gnome 2.2, if you go to http://zope.org without any
>| authentication, you still get a full listing of the site objects.
>|
>| Nautilus does a PROPFIND, controlled by "WebDAV access", and it appears
>| that this is allowed for Anonymous on zope.org. I suggest removing the
>| "WebDAV access" permission from Anonymous.
>|
>| I'm attaching a dump of the tcp conversation.
>
> What makes you think thats a security issue? Its been there for more
> than 2 years now, and its the default configuration for Zope (at least
> until the 2.5 series, havent checked on 2.6). Theres nothing there
> that cant be accessed by a browser. (BTW, the same happens with WinXP
> if you use \\zope.org, and the same happens to zope.com, and any other
> zope site that runs the default configuration)
>
> []'s
> --
> Sidnei da Silva (dreamcatcher) <sidnei@x3ng.com.br>
> X3ng Web Technology <http://www.x3ng.com.br>
> GNU/Linux user 257852
> Debian GNU/Linux 3.0 (Sid) 2.4.18 ppc
>
> Simulations are like miniskirts, they show a lot and hide the essentials.
> -- Hubert Kirrman
>
> _______________________________________________
> Zope-web maillist - Zope-web@zope.org
> http://mail.zope.org/mailman/listinfo/zope-web