Disabling anonymous webdav access
Hi All, As someone pointed out on #zope, it is possible to view folder contents using a webdav client as an anonymous user. I.e. download cadaver (http://www.webdav.org/cadaver/), open yourzopeserver:8080 and do ls. Then decide if you want anyone to be able to access this. Eventhough hiding this information may be security by obscurity, there are some things you just don't want everyone to see. This allows you to see, for example, the installed products on the server. A hacker might use this knowledge to exploit some known bug in a zope product if one exists. Most people (like me) probably think it's harmless to let old objects, documents etc linger around as you can't view them in listings through ftp or http. They don't realize webdav is running by default. Actually, it can't even be disabled! (z2.py -X -w80 won't do the trick!) Personally I'd rather see this secured. It's not possible to disable 'view contents information' for anonymous users in zope, as this will ruin your entire site (all anonymous access will then be disabled), so the solution would be to create a new permission for access contents through webdav. And that's what the following (trivial) patch does. After applying you'll get a new permission in your security tab, which is set to manager by default. To get the old behaviour back, just set the permission back to anonymous. Apply it using patch -p1 ../webdav.patch in your SOFTWARE_HOME (i.e. the Zope-2.3.2-src dir). Or just edit lib/python/webdav/Resource.py by hand :) I've tested it with Zope 2.3.2, I can't guarantee it will work with other versions (use at your own risk anyway). -- cut here -- *** Zope-2.3.2-orig/lib/python/webdav/Resource.py Tue Mar 27 21:50:37 2001 --- Zope-2.3.2-src/lib/python/webdav/Resource.py Mon May 14 19:16:46 2001 *************** *** 109,115 **** __ac_permissions__=( ('View', ('HEAD',)), ! ('Access contents information', ('PROPFIND',)), ('Manage properties', ('PROPPATCH',)), ('Delete objects', ('DELETE',)), ) --- 109,115 ---- __ac_permissions__=( ('View', ('HEAD',)), ! ('Access contents information through WebDav', ('PROPFIND',)), ('Manage properties', ('PROPPATCH',)), ('Delete objects', ('DELETE',)), ) -- cut here -- Cheers, Ivo -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/ Consultancy Email: ivo@amaze.nl -=-
As someone pointed out on #zope, it is possible to view folder contents using a webdav client as an anonymous user.
<snip>
After applying you'll get a new permission in your security tab, which is set to manager by default. To get the old behaviour back, just set the permission back to anonymous.
Apply it using patch -p1 ../webdav.patch in your SOFTWARE_HOME (i.e. the Zope-2.3.2-src dir).
I'd like to add this for Zope 2.4, but slightly modified, and I wanted to run this by the community for buy-in. I propose that there be a "WebDAV Access" permission (to be consistent w/the existing "FTP Access" permission) that protects PROPFIND. Instead of defaulting to "Manager" only (as proposed by Ivo), I propose that it default to "Manager, Anonymous" so that current behavior is preserved. In other words, I think it is better that sites continue to work exactly as before after the change (but that the manager can then go turn off anonymous DAV access), rather than have sites suddenly "stop working with WebDAV" until the manager goes and gives anonymous that permission. Thoughts?
-- cut here -- *** Zope-2.3.2-orig/lib/python/webdav/Resource.py Tue Mar 27 21:50:37 2001 --- Zope-2.3.2-src/lib/python/webdav/Resource.py Mon May 14 19:16:46 2001 *************** *** 109,115 ****
__ac_permissions__=( ('View', ('HEAD',)), ! ('Access contents information', ('PROPFIND',)), ('Manage properties', ('PROPPATCH',)), ('Delete objects', ('DELETE',)), ) --- 109,115 ----
__ac_permissions__=( ('View', ('HEAD',)), ! ('Access contents information through WebDav', ('PROPFIND',)), ('Manage properties', ('PROPPATCH',)), ('Delete objects', ('DELETE',)), ) -- cut here --
Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
Brian Lloyd wrote:
I propose that there be a "WebDAV Access" permission (to be consistent w/the existing "FTP Access" permission) that protects PROPFIND. Instead of defaulting to "Manager" only (as proposed by Ivo), I propose that it default to "Manager, Anonymous" so that current behavior is preserved. In other words, I think it is better that sites continue to work exactly as before after the change (but that the manager can then go turn off anonymous DAV access), rather than have sites suddenly "stop working with WebDAV" until the manager goes and gives anonymous that permission.
Wow, if you could just stretch to adding an "HTTP Access" permission, you would haev completely covered: http://dev.zope.org/Wikis/DevSite/Proposals/ProtocolAccessibility cool :-) Chris
On Fri, 18 May 2001, Brian Lloyd wrote:
Ivo), I propose that it default to "Manager, Anonymous" so that current behavior is preserved. In other words, I think it is better that sites continue to work exactly as before after the change (but that the manager can then go turn off anonymous DAV access), rather than have sites suddenly "stop working with WebDAV" until the manager goes and gives anonymous that permission.
Thoughts?
Here's mine, for a future version of Zope: What would be nice is an installation/launching option for Zope's security to be set to maximum security by default, i.e. anonymous wouldn't even have the View permission by default, and the admin would have to manually set the anonymous permissions. kind of like the ALL: PARANOID in /etc/hosts.deny and and no hosts.allow file. What would be even better is that such a thing doesn't appear in Zope before I understand completely how the permission system really work ;-) bye, Jerome Alet
On Fri, May 18, 2001 at 11:19:10AM -0400, Brian Lloyd wrote:
As someone pointed out on #zope, it is possible to view folder contents using a webdav client as an anonymous user.
I'd like to add this for Zope 2.4, but slightly modified, and I wanted to run this by the community for buy-in.
I propose that there be a "WebDAV Access" permission (to be consistent w/the existing "FTP Access" permission) that protects PROPFIND. Instead of defaulting to "Manager" only (as proposed by Ivo), I propose that it default to "Manager, Anonymous" so that current behavior is preserved. In other words, I think it is better that sites continue to work exactly as before after the change (but that the manager can then go turn off anonymous DAV access), rather than have sites suddenly "stop working with WebDAV" until the manager goes and gives anonymous that permission.
I never really used webdav, so I don't know what applications will break with my patch. I assume however that these applications understand authentication and will simply require a username/password. I do think it should be made clear to the user that in default configuration, zope will allow this anonymous access - I know alot of people who find such behaviour insecure and who would be scared if they found out afterwards (as I did) As for the proposed reverse proxy filtering, this will disable all webdav access *the hard way* (i.e. PROPFIND will not be possible at all). And it will not make zope secure "out of the box". Untill there is decent protocol based access, this looks like a nice patch. nd of course, you're welcome to incorporate it in 2.4 :) Cheers, Ivo -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/ Consultancy Email: ivo@amaze.nl -=-
participants (4)
-
Brian Lloyd -
Chris Withers -
Ivo van der Wijk -
Jerome Alet