[Zope] Webdav security(hole?)question.

Antwan Reijnen antwan@casema.net
Sat, 12 May 2001 20:51:50 +0200


Hi All,

I have a weird security problem with my Zope installation. I'm now running 
Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1.

I installed a Webfolder in my explorer, to gain access via Webdav to the 
Zope Server. It did'nt require a username/password to gain full access to 
the server... I tried to change my password from within Zope, but that 
did'nt change a thing... I can walk in, without authentication needed...!

I was worried about this, so I decided to test Webdav on some 
Windows2000/IIS5 servers on internet too, to see if they required 
authentication. And a shocking 1 out of 4 servers I tried, where completely 
open to Webdav... I could retrieve directory listings, and I also had WRITE 
privileges. Some very important, large websites contain this accesshole.

How is this possible???? How can I fix this hole in my Zope installation? 
Can I disable Webdav access completely, if there is no short term solution?

Any help is greatly appreciated.

Thanks in advance, greetings, Antwan Reijnen.