[Zope] WebDAV security (seems to be secure ...)

Joachim Werner joachim.werner@iuveno.de
Sat, 8 Jan 2000 20:17:37 +0100 

O. K., I checked the stuff again: I changed the Zope password, and all of a
sudden the WabDAV connection behaved as it should: protected areas of the Zope
site didn't show up. So what happened before is that the "remember password"
feature of  IE 5.0 just did what it is supposed to do and so it seemed as if the
Zope site just opened without authentication.

Thank you anyway!

Joachim.

 > 
> WebDav uses http authentication (it should use a digest mechanism but some
> webdav servers don't bother).
> 
> This means that any anonymous user has the same rights whether using webdav
> or just browsing through a browser.
> 
> The story changes though when you try to write to the server via webdav, you
> then need authentication.
> 
> The stuff returned to the webdav client should be the rendered version
> unless you know how to get at the unrendered version and know the
> password/username.
> 
> I may be preoven wrong about this but that's how it should work according to
> the docs.
> 
> If you are interested in looking at webdav, have a look at the attached
> files.
> 
> These are a davlib.py client library and a simple test framework.  Play with
> them, and you'll see what I mean.
> 
> HTH
> 
> Phil
> phil.harris@zope.co.uk
> ----- Original Message -----
> From: "Joachim Werner" <joachim.werner@iuveno.de>
> To: <zope@zope.org>
> Sent: Saturday, January 08, 2000 11:29 AM
> Subject: [Zope] WebDAV security
> 
> 
> > I have got a local configuration with a Linux server currently running
> Zope
> > 2.1.1 for evaluation and some other machines, including a Win98 Notebook,
> > connected to the server via Ethernet.
> >
> > The good thing is that I can use WebDAV to see and modify the Zope
> > folders/objects from Internet Explorer 5.0 on the Win98 machine.
> >
> > The bad thing: There seems to be NO AUTHENTICATION needed to do this!
> >
> > I tried first on the Win98 itself with a local Zope. My guess was that it
> > automatically accepts local connections as allowed. But when I "WebDAVed"
> into
> > the Zope on the Linux machine, it was accessible, too. O.K., my Win98 uses
> a
> > valid user/password on the Linux machine needed for Samba, so I tried with
> > a different logon and Zope still was very open for WebDAV connections!
> >
> > Same with Win98 running in a VMWare box on another Linux machine!
> >
> > Is this a "feature" or a bug? If WebDAV was totally "open" by default,
> this
> > would be a major security issue!
> >
> > The Linux server machine is also running SQUID as a proxy server for the
> other
> > machines. Could that be part of the problem?
> >
> > If it is a security issue (tI think so), Is that problem still there in
> Zope
> > 2.1.2?
> >
> > Joachim Werner
> >
> > _______________________________________________
> > Zope maillist  -  Zope@zope.org
> > http://lists.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope-dev )
> >
> 

----------------------------------------
Content-Type: text/plain; name="davtest.py"
Content-Transfer-Encoding: 7bit
Content-Description: 
----------------------------------------

----------------------------------------
Content-Type: text/plain; name="davlib.py"
Content-Transfer-Encoding: quoted-printable
Content-Description: 
----------------------------------------