accessing a zope site with nautilus can show you the whole structure: folders, methods and documents. On some sites you see the source of index_html. I didn't figure out, what makes the difference.
On Fri, 2003-03-28 at 01:13, Stephan Goeldi wrote:
accessing a zope site with nautilus can show you the whole structure: folders, methods and documents. On some sites you see the source of index_html. I didn't figure out, what makes the difference.
Zope has a very solid security apparatus, but the default configuration is *not* the most secure one available. You've discovered one way in which this is the case: By default, Zope servers will disclose detailed information about server setup to WebDAV. If you are concerned that this isn't a great way to manage your server, (IMO, it's not) you should configure accordingly. Open up the permissions for the root object and de-select the box that grants WebDAV Access privileges to Anonymous. If you've set everything else to inherit this permission, that setting will cascade down your whole server. If not, rinse and repeat. Managing security is a process of balancing convenience against paranoia. By default Zope errs a bit on the side of convenience... a common balance point. The Zope admin's job is to understand these choices and make them differently as requirements dictate. HTH, Dylan
Stephan Goeldi wrote:
accessing a zope site with nautilus can show you the whole structure: folders, methods and documents. On some sites you see the source of index_html. I didn't figure out, what makes the difference.
Are you shure that you are not logged in to the site? If you are, it is not a security hole, but perhaps a bug in Nautilus with regards to WebDav. Which sounds more likely. regards Max M
[Max M wrote (maxm@mxm.dk) on 3/28/03 4:45 AM]
accessing a zope site with nautilus can show you the whole structure: folders, methods and documents. On some sites you see the source of index_html. I didn't figure out, what makes the difference.
Are you shure that you are not logged in to the site? If you are, it is not a security hole, but perhaps a bug in Nautilus with regards to WebDav. Which sounds more likely.
if you have the default setup then this is not a bug in the WebDAV client. You need to remove anonymous WebDAV access in the root Security tab. <--> george donnelly - http://www.zettai.net/ - "We Love Newbies" :) Zope Hosting - Dynamic Website Design - Search Engine Promotion Yahoo, AIM: zettainet - MSN: zettainet@hotmail.com - ICQ: 51907738
george donnelly wrote:
[Max M wrote (maxm@mxm.dk) on 3/28/03 4:45 AM]
Are you shure that you are not logged in to the site? If you are, it is not a security hole, but perhaps a bug in Nautilus with regards to WebDav. Which sounds more likely.
if you have the default setup then this is not a bug in the WebDAV client. You need to remove anonymous WebDAV access in the root Security tab.
Oh ... I asumed that Nautilus was a web browser. That's why I thought there was a bug in it. my bad. Max M
participants (4)
-
Dylan Reinhardt -
george donnelly -
Max M -
Stephan Goeldi