[Zope] Webdav security(hole?)question.

Joachim Werner joe@iuveno-net.de
Sun, 13 May 2001 21:08:35 +0200


> I have a weird security problem with my Zope installation. I'm now running
> Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1.
>
> I installed a Webfolder in my explorer, to gain access via Webdav to the
> Zope Server. It did'nt require a username/password to gain full access to
> the server... I tried to change my password from within Zope, but that
> did'nt change a thing... I can walk in, without authentication needed...!

I have come across this "problem" a couple of months ago. One additional
thing that irritated me was that MS Explorer stores all the WebDAV passwords
if you don't switch this off explicitly. But as has been said before, WebDAV
in Zope is not any more secure or insecure than HTTP access via the browser.
I don't even think that it makes any sense to have a separate security
scheme for WebDAV (or FTP or XML-RPC, to name a view others). If you think
that anonymous users should be able to do something to a resource via the
browser, we shouldn't they be able to do the same thing using a different
client?

Joachim