Hi All, I have a weird security problem with my Zope installation. I'm now running Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1. I installed a Webfolder in my explorer, to gain access via Webdav to the Zope Server. It did'nt require a username/password to gain full access to the server... I tried to change my password from within Zope, but that did'nt change a thing... I can walk in, without authentication needed...! I was worried about this, so I decided to test Webdav on some Windows2000/IIS5 servers on internet too, to see if they required authentication. And a shocking 1 out of 4 servers I tried, where completely open to Webdav... I could retrieve directory listings, and I also had WRITE privileges. Some very important, large websites contain this accesshole. How is this possible???? How can I fix this hole in my Zope installation? Can I disable Webdav access completely, if there is no short term solution? Any help is greatly appreciated. Thanks in advance, greetings, Antwan Reijnen.
Hi Antwan, You're right in stating that this is a security problem. The fact that anonymous users can retrieve directory listings is itself a security problem (and is the reason that the method suite represented by 'objectIds' was protected from TTW access in 2.2.something). Unforutunately, currently, the WebDAV implementation is tied up with the "normal" HTTP server code in such a way that turning WebDAV off independently of other HTTP requests is not possible. This also needs to be fixed or addressed in another way. That said, I'm suspicious of the claim that via WebDAV, you're able to subvert the Zope security policy in any way, because it's the same one that's used by "normal" HTTP access. For example, if you're able to change the body of a DTML method via WebDAV on your site, it's likely because the permission "Add Documents, Images, and Files" (or perhaps "Change DTML Methods") is provided to the Anonymous user respective to the object itself. Likewise, if you can PUT a DTML document into a folder as the anonymous user, it's likely because the "Add Documents, Images, and Files" permission is provided to the Anonymous User respective to the folder. Can you provide a specific set of steps using WebDAV that demonstrates a subversion of your specific security policy? - C Antwan Reijnen wrote:
Hi All,
I have a weird security problem with my Zope installation. I'm now running Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1.
I installed a Webfolder in my explorer, to gain access via Webdav to the Zope Server. It did'nt require a username/password to gain full access to the server... I tried to change my password from within Zope, but that did'nt change a thing... I can walk in, without authentication needed...!
I was worried about this, so I decided to test Webdav on some Windows2000/IIS5 servers on internet too, to see if they required authentication. And a shocking 1 out of 4 servers I tried, where completely open to Webdav... I could retrieve directory listings, and I also had WRITE privileges. Some very important, large websites contain this accesshole.
How is this possible???? How can I fix this hole in my Zope installation? Can I disable Webdav access completely, if there is no short term solution?
Any help is greatly appreciated.
Thanks in advance, greetings, Antwan Reijnen.
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Chris McDonough wrote:
Hi Antwan,
That said, I'm suspicious of the claim that via WebDAV, you're able to subvert the Zope security policy in any way, because it's the same one that's used by "normal" HTTP access. For example, if you're able to change the body of a DTML method via WebDAV on your site, it's likely because the permission "Add Documents, Images, and Files" (or perhaps "Change DTML Methods") is provided to the Anonymous user respective to the object itself. Likewise, if you can PUT a DTML document into a folder as the anonymous user, it's likely because the "Add Documents, Images, and Files" permission is provided to the Anonymous User respective to the folder.
Can you provide a specific set of steps using WebDAV that demonstrates a subversion of your specific security policy?
I also am suspicious. I have not tried a MS client but did use cadaver to test WebDav access last week and it prompted for a password as it should. Antwan, feel free to hit the DEMO site below and let me know if you trash my demo <s>. Thanks, -- Tim Cook, President - FreePM,Inc. http://www.FreePM.com Office: (731) 884-4126 ONLINE DEMO: http://www.freepm.org:8080/FreePM
Tim Cook wrote:
Antwan, feel free to hit the DEMO site below and let me know if you trash my demo <s>.
I should clarify that. The application is open to use for Anonymous Users. But you shouldn't be able to visit a management screen. -- Tim Cook, President - FreePM,Inc. http://www.FreePM.com Office: (731) 884-4126 ONLINE DEMO: http://www.freepm.org:8080/FreePM
I have a weird security problem with my Zope installation. I'm now running Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1.
I installed a Webfolder in my explorer, to gain access via Webdav to the Zope Server. It did'nt require a username/password to gain full access to the server... I tried to change my password from within Zope, but that did'nt change a thing... I can walk in, without authentication needed...!
I have come across this "problem" a couple of months ago. One additional thing that irritated me was that MS Explorer stores all the WebDAV passwords if you don't switch this off explicitly. But as has been said before, WebDAV in Zope is not any more secure or insecure than HTTP access via the browser. I don't even think that it makes any sense to have a separate security scheme for WebDAV (or FTP or XML-RPC, to name a view others). If you think that anonymous users should be able to do something to a resource via the browser, we shouldn't they be able to do the same thing using a different client? Joachim
participants (4)
-
Antwan Reijnen -
Chris McDonough -
Joachim Werner -
Tim Cook