[ZWeb] Re: [ZOC] 68/ 1 Request "WebDAV allows complete listings of the site"
Sidnei da Silva
sidnei@x3ng.com
Sat, 5 Apr 2003 09:43:15 -0300
On Sat, Apr 05, 2003 at 07:34:54AM -0500, Collector: NEW Zope.org (the ... wrote:
| Issue #68 Update (Request) "WebDAV allows complete listings of the site"
| ** Security Related ** (Confidential)
| Status Pending_confidential, content/bug critical
| To followup, visit:
| http://collector.zope.org/ZopeOrg/68
|
| ==============================================================
| = Request - Entry #1 by efge on Apr 5, 2003 7:34 am
|
|
| Uploaded: "zope-propfind.txt"
| - http://collector.zope.org/ZopeOrg/68/zope-propfind.txt/view
| Using Nautilus from Gnome 2.2, if you go to http://zope.org without any authentication, you still
| get a full listing of the site objects.
|
| Nautilus does a PROPFIND, controlled by "WebDAV access", and it appears that this is allowed for Anonymous on
| zope.org. I suggest removing the "WebDAV access" permission from Anonymous.
|
| I'm attaching a dump of the tcp conversation.
What makes you think thats a security issue? Its been there for more
than 2 years now, and its the default configuration for Zope (at least
until the 2.5 series, havent checked on 2.6). Theres nothing there
that cant be accessed by a browser. (BTW, the same happens with WinXP
if you use \\zope.org, and the same happens to zope.com, and any other
zope site that runs the default configuration)
[]'s
--
Sidnei da Silva (dreamcatcher) <sidnei@x3ng.com.br>
X3ng Web Technology <http://www.x3ng.com.br>
GNU/Linux user 257852
Debian GNU/Linux 3.0 (Sid) 2.4.18 ppc
Simulations are like miniskirts, they show a lot and hide the essentials.
-- Hubert Kirrman