[Zope] Summary: Webdav security(hole?)question.

Antwan Reijnen antwan@dexus.nl
Mon, 14 May 2001 11:11:27 +0200 

Hi All, Chris (suspicious), Tim  (FreePM), Joachim (Explorere remembers 
password),

Thanks for contributions on the WebDAV thread. I digged a little into it, 
and I can now shamefully say that my observations on WebDAV were not 
completely correct (blush). So here is my summary:

Thanks to Chris and Tim, I re-examined the security-policy of my 
Zopeserver. And was very surprized to see that the access contents 
information permission was default assigned to role anonymous. I changed 
this immediately. This put me in the wrong direction: after changing my 
manager-passwordt, I could still browse through my Zope-site with 
WebFolder, without being asked for a new password. I understand this now... 
I changed from manager to anonymous from the perspective of the WebFolder, 
and anonymous could browse through the system. Because I saw no change in 
behaviour on the WebFolder side, I thought nothing had changed. But it did: 
I could'nt write or change files anymore: here the long awaited 
username/password dialog finally showed up. Phew... sorry about this, I 
should have examined this more carefully... My preliminary false conclusion 
was by the way supported by the fact that the first windows2000 site I 
tried to access via WebDAV was completely open (yes, with write supported), 
no password required...

Chris and Tim: I agree completely with you that the securitypolicy via 
WebDAV should be the same as via the http methods.

Tim: of course, I could not gain access to FreePM ;-)

Joachim: thanks to your email I understand why my new Zope installation 
(2.3.1 -> 2.3.2) did not require new authentication via WebDAV. Thanks Bill 
:-(

So: thank you all very much. I will creep back in my hole, and go shame 
myself :-)

Goodbey! Greetings, Antwan.



>Hi All,
>
>I have a weird security problem with my Zope installation. I'm now running 
>Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1.
>
>I installed a Webfolder in my explorer, to gain access via Webdav to the 
>Zope Server. It did'nt require a username/password to gain full access to 
>the server... I tried to change my password from within Zope, but that 
>did'nt change a thing... I can walk in, without authentication needed...!
>
>I was worried about this, so I decided to test Webdav on some 
>Windows2000/IIS5 servers on internet too, to see if they required 
>authentication. And a shocking 1 out of 4 servers I tried, where 
>completely open to Webdav... I could retrieve directory listings, and I 
>also had WRITE privileges. Some very important, large websites contain 
>this accesshole.
>
>How is this possible???? How can I fix this hole in my Zope installation? 
>Can I disable Webdav access completely, if there is no short term solution?
>
>Any help is greatly appreciated.
>
>Thanks in advance, greetings, Antwan Reijnen.