[ZWeb] Re: [ZOC] 68/ 1 Request "WebDAV allows complete listings of the site"

Sidnei da Silva sidnei@x3ng.com
Sat, 5 Apr 2003 09:43:15 -0300


On Sat, Apr 05, 2003 at 07:34:54AM -0500, Collector: NEW Zope.org (the ... wrote:
| Issue #68 Update (Request) "WebDAV allows complete listings of the site"
|  ** Security Related ** (Confidential)
|  Status Pending_confidential, content/bug critical
| To followup, visit:
|   http://collector.zope.org/ZopeOrg/68
| 
| ==============================================================
| = Request - Entry #1 by efge on Apr 5, 2003 7:34 am
| 
| 
| Uploaded:  "zope-propfind.txt"
|  - http://collector.zope.org/ZopeOrg/68/zope-propfind.txt/view
| Using Nautilus from Gnome 2.2, if you go to http://zope.org without any authentication, you still
| get a full listing of the site objects.
| 
| Nautilus does a PROPFIND, controlled by "WebDAV access", and it appears that this is allowed for Anonymous on
| zope.org. I suggest removing the "WebDAV access" permission from Anonymous.
| 
| I'm attaching a dump of the tcp conversation.

What makes you think thats a security issue? Its been there for more
than 2 years now, and its the default configuration for Zope (at least
until the 2.5 series, havent checked on 2.6). Theres nothing there
that cant be accessed by a browser. (BTW, the same happens with WinXP
if you use \\zope.org, and the same happens to zope.com, and any other
zope site that runs the default configuration)

[]'s
-- 
Sidnei da Silva (dreamcatcher) <sidnei@x3ng.com.br>
X3ng Web Technology <http://www.x3ng.com.br>
GNU/Linux user 257852
Debian GNU/Linux 3.0 (Sid) 2.4.18 ppc

Simulations are like miniskirts, they show a lot and hide the essentials.
		-- Hubert Kirrman