I have got a local configuration with a Linux server currently running Zope 2.1.1 for evaluation and some other machines, including a Win98 Notebook, connected to the server via Ethernet. The good thing is that I can use WebDAV to see and modify the Zope folders/objects from Internet Explorer 5.0 on the Win98 machine. The bad thing: There seems to be NO AUTHENTICATION needed to do this! I tried first on the Win98 itself with a local Zope. My guess was that it automatically accepts local connections as allowed. But when I "WebDAVed" into the Zope on the Linux machine, it was accessible, too. O.K., my Win98 uses a valid user/password on the Linux machine needed for Samba, so I tried with a different logon and Zope still was very open for WebDAV connections! Same with Win98 running in a VMWare box on another Linux machine! Is this a "feature" or a bug? If WebDAV was totally "open" by default, this would be a major security issue! The Linux server machine is also running SQUID as a proxy server for the other machines. Could that be part of the problem? If it is a security issue (tI think so), Is that problem still there in Zope 2.1.2? Joachim Werner
WebDav uses http authentication (it should use a digest mechanism but some webdav servers don't bother). This means that any anonymous user has the same rights whether using webdav or just browsing through a browser. The story changes though when you try to write to the server via webdav, you then need authentication. The stuff returned to the webdav client should be the rendered version unless you know how to get at the unrendered version and know the password/username. I may be preoven wrong about this but that's how it should work according to the docs. If you are interested in looking at webdav, have a look at the attached files. These are a davlib.py client library and a simple test framework. Play with them, and you'll see what I mean. HTH Phil phil.harris@zope.co.uk ----- Original Message ----- From: "Joachim Werner" <joachim.werner@iuveno.de> To: <zope@zope.org> Sent: Saturday, January 08, 2000 11:29 AM Subject: [Zope] WebDAV security
I have got a local configuration with a Linux server currently running Zope 2.1.1 for evaluation and some other machines, including a Win98 Notebook, connected to the server via Ethernet.
The good thing is that I can use WebDAV to see and modify the Zope folders/objects from Internet Explorer 5.0 on the Win98 machine.
The bad thing: There seems to be NO AUTHENTICATION needed to do this!
I tried first on the Win98 itself with a local Zope. My guess was that it automatically accepts local connections as allowed. But when I "WebDAVed" into the Zope on the Linux machine, it was accessible, too. O.K., my Win98 uses a valid user/password on the Linux machine needed for Samba, so I tried with a different logon and Zope still was very open for WebDAV connections!
Same with Win98 running in a VMWare box on another Linux machine!
Is this a "feature" or a bug? If WebDAV was totally "open" by default, this would be a major security issue!
The Linux server machine is also running SQUID as a proxy server for the other machines. Could that be part of the problem?
If it is a security issue (tI think so), Is that problem still there in Zope 2.1.2?
Joachim Werner
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
O. K., I checked the stuff again: I changed the Zope password, and all of a sudden the WabDAV connection behaved as it should: protected areas of the Zope site didn't show up. So what happened before is that the "remember password" feature of IE 5.0 just did what it is supposed to do and so it seemed as if the Zope site just opened without authentication. Thank you anyway! Joachim.
WebDav uses http authentication (it should use a digest mechanism but some webdav servers don't bother).
This means that any anonymous user has the same rights whether using webdav or just browsing through a browser.
The story changes though when you try to write to the server via webdav, you then need authentication.
The stuff returned to the webdav client should be the rendered version unless you know how to get at the unrendered version and know the password/username.
I may be preoven wrong about this but that's how it should work according to the docs.
If you are interested in looking at webdav, have a look at the attached files.
These are a davlib.py client library and a simple test framework. Play with them, and you'll see what I mean.
HTH
Phil phil.harris@zope.co.uk ----- Original Message ----- From: "Joachim Werner" <joachim.werner@iuveno.de> To: <zope@zope.org> Sent: Saturday, January 08, 2000 11:29 AM Subject: [Zope] WebDAV security
I have got a local configuration with a Linux server currently running Zope 2.1.1 for evaluation and some other machines, including a Win98 Notebook, connected to the server via Ethernet.
The good thing is that I can use WebDAV to see and modify the Zope folders/objects from Internet Explorer 5.0 on the Win98 machine.
The bad thing: There seems to be NO AUTHENTICATION needed to do this!
I tried first on the Win98 itself with a local Zope. My guess was that it automatically accepts local connections as allowed. But when I "WebDAVed" into the Zope on the Linux machine, it was accessible, too. O.K., my Win98 uses a valid user/password on the Linux machine needed for Samba, so I tried with a different logon and Zope still was very open for WebDAV connections!
Same with Win98 running in a VMWare box on another Linux machine!
Is this a "feature" or a bug? If WebDAV was totally "open" by default, this would be a major security issue!
The Linux server machine is also running SQUID as a proxy server for the other machines. Could that be part of the problem?
If it is a security issue (tI think so), Is that problem still there in Zope 2.1.2?
Joachim Werner
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
---------------------------------------- Content-Type: text/plain; name="davtest.py" Content-Transfer-Encoding: 7bit Content-Description: ---------------------------------------- ---------------------------------------- Content-Type: text/plain; name="davlib.py" Content-Transfer-Encoding: quoted-printable Content-Description: ----------------------------------------
participants (2)
-
Joachim Werner -
Phil Harris