JXlio Dinis Silva wrote:
I think zope MUST have a way to disable webdav access. Running a webdav client on some zope sites I found in almost all of them things like test_html index_html_old and some other forgiven methods that programmers leave on their applications. Depending on what test programmers were doing in this methods one could find a way to do some DOS on does sites, just to begin.
Yes, your fears are valid, but WebDAV really isn't the problem. Zope, at a deeper level, is what is causing your problem. You can find out the above information using any web browser, try this: http://www.cbsnewyork.com/objectIds I see they haven't deleted the QuickStart. Interesting... As you point out, once you know the names of methods and the like (see http://www.cbsnewyork.com/objectValues to find out what type objects are, funny... objectItems, which would be slightly more useful, isn't actually URL traversable...), you can do DOS attacks... more interestingly, if you find a method that is anonymously accessible but with some cool proxy roles (maybe because it needs to be like that), you can see if you can cause bad things to happen (like deleting data) by passing in interesting parameters (remember, Zope handily pops the traceback in the response, even in production mode, so you can tell what parameter you left out ;-) Anyway, enough of the problem... possible solutions: 1. Hack the Zope code so the traceback isn't appended to your HTML in production mode 2. Give anything you don't want to be traversable a prefix like i_ and then use Apache to screen these out, along with */manage*. 3. Setup a decent firewall to prevent XML-RPC, FTP and WebDAV access to your Zope server, except by people you trust. It's a hard problem to solve, made harder by the fact that Zope supports loads of protocols and is totally manageable through the web. These are Zope's strengths, but they do raise itneresting problems :-S cheers, Chris