Hi All, Chris (suspicious), Tim (FreePM), Joachim (Explorere remembers password), Thanks for contributions on the WebDAV thread. I digged a little into it, and I can now shamefully say that my observations on WebDAV were not completely correct (blush). So here is my summary: Thanks to Chris and Tim, I re-examined the security-policy of my Zopeserver. And was very surprized to see that the access contents information permission was default assigned to role anonymous. I changed this immediately. This put me in the wrong direction: after changing my manager-passwordt, I could still browse through my Zope-site with WebFolder, without being asked for a new password. I understand this now... I changed from manager to anonymous from the perspective of the WebFolder, and anonymous could browse through the system. Because I saw no change in behaviour on the WebFolder side, I thought nothing had changed. But it did: I could'nt write or change files anymore: here the long awaited username/password dialog finally showed up. Phew... sorry about this, I should have examined this more carefully... My preliminary false conclusion was by the way supported by the fact that the first windows2000 site I tried to access via WebDAV was completely open (yes, with write supported), no password required... Chris and Tim: I agree completely with you that the securitypolicy via WebDAV should be the same as via the http methods. Tim: of course, I could not gain access to FreePM ;-) Joachim: thanks to your email I understand why my new Zope installation (2.3.1 -> 2.3.2) did not require new authentication via WebDAV. Thanks Bill :-( So: thank you all very much. I will creep back in my hole, and go shame myself :-) Goodbey! Greetings, Antwan.
Hi All,
I have a weird security problem with my Zope installation. I'm now running Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1.
I installed a Webfolder in my explorer, to gain access via Webdav to the Zope Server. It did'nt require a username/password to gain full access to the server... I tried to change my password from within Zope, but that did'nt change a thing... I can walk in, without authentication needed...!
I was worried about this, so I decided to test Webdav on some Windows2000/IIS5 servers on internet too, to see if they required authentication. And a shocking 1 out of 4 servers I tried, where completely open to Webdav... I could retrieve directory listings, and I also had WRITE privileges. Some very important, large websites contain this accesshole.
How is this possible???? How can I fix this hole in my Zope installation? Can I disable Webdav access completely, if there is no short term solution?
Any help is greatly appreciated.
Thanks in advance, greetings, Antwan Reijnen.