[Zope] is WebDAV a security hole?
Jacob Lundqvist
jaclu@galdrion.com
Sun, 04 Jun 2000 16:34:34 +0200
Been playing around with WebDAV from IE5 connecting to a RedHat 6.1
+Zope 2.1.6
And it seems that quite a bit of the stuff that propably shouldn't be
visible can be seen,
for example acl_users
Without being logged in I can start a download of it, eventually IE5
fails, but I get this uncomfortable feeling that this is more due to IE5
not handling this document type than anything else...
If I used some other WebDAV client, could I then download acl_users, and
if so, would this expose usernames/passwords?
I haven't fiddled with the Security Tab for acl_users, so it should be
default permissions. Are they bad and what should they be changed to?
---
Mail: Jaclu@galdrion.com
Phone: +46-708-555 456
Am I there? http://maja.luba.se/jacob/jacob.jpg