[Zope] WebDAV security

Joachim Werner joachim.werner@iuveno.de
Sat, 8 Jan 2000 12:29:32 +0100


I have got a local configuration with a Linux server currently running Zope
2.1.1 for evaluation and some other machines, including a Win98 Notebook,
connected to the server via Ethernet.

The good thing is that I can use WebDAV to see and modify the Zope
folders/objects from Internet Explorer 5.0 on the Win98 machine.

The bad thing: There seems to be NO AUTHENTICATION needed to do this!

I tried first on the Win98 itself with a local Zope. My guess was that it
automatically accepts local connections as allowed. But when I "WebDAVed" into
the Zope on the Linux machine, it was accessible, too. O.K., my Win98 uses a
valid user/password on the Linux machine needed for Samba, so I tried with
a different logon and Zope still was very open for WebDAV connections!

Same with Win98 running in a VMWare box on another Linux machine!

Is this a "feature" or a bug? If WebDAV was totally "open" by default, this
would be a major security issue!

The Linux server machine is also running SQUID as a proxy server for the other
machines. Could that be part of the problem?

If it is a security issue (tI think so), Is that problem still there in Zope
2.1.2?

Joachim Werner