[Zope] is WebDAV a security hole?

Brian Lloyd Brian@digicool.com
Mon, 5 Jun 2000 11:08:19 -0400


> Been playing around with WebDAV from IE5 connecting to a RedHat 6.1
> +Zope 2.1.6
> 
> And it seems that quite a bit of the stuff that propably shouldn't be
> visible can be seen,
> for example acl_users

What other things are you referring to? (see answer for acl_users
below)

> 
> Without being logged in I can start a download of it, eventually IE5
> fails, but I get this uncomfortable feeling that this is more 
> due to IE5
> not handling this document type than anything else...
> 
> If I used some other WebDAV client, could I then download 
> acl_users, and
> if so, would this expose usernames/passwords?

It would not expose passwords - I believe that what you are seeing
is a sort of non-obvious but basically harmless thing. User folders
(acl_users) do not have an index_html method (by design). When a 
DAV client tries to "download" acl_users, it is actually acquiring
the closest index_html from above and downloading that :^) One 
could argue that this is lame and that attempting to GET 
.../acl_users/ should raise an error (404?). I'm interested in 
other viewpoints on this - if there is some consensus, a proposed 
change should be put in the Collector.



Brian Lloyd        brian@digicool.com
Software Engineer  540.371.6909              
Digital Creations  http://www.digicool.com