[Zope] Webdav security(hole?)question.

Chris McDonough chrism@digicool.com
Sat, 12 May 2001 15:08:03 -0400


Hi Antwan,

You're right in stating that this is a security problem.  The fact that
anonymous users can retrieve directory listings is itself a security
problem (and is the reason that the method suite represented by
'objectIds' was protected from TTW access in 2.2.something). 
Unforutunately, currently, the WebDAV implementation is tied up with the
"normal" HTTP server code in such a way that turning WebDAV off
independently of other HTTP requests is not possible.  This also needs
to be fixed or addressed in another way.

That said, I'm suspicious of the claim that via WebDAV, you're able to
subvert the Zope security policy in any way, because it's the same one
that's used by "normal" HTTP access.  For example, if you're able to
change the body of a DTML method via WebDAV on your site, it's likely
because the permission "Add Documents, Images, and Files" (or perhaps
"Change DTML Methods") is provided to the Anonymous user respective to
the object itself.  Likewise, if you can PUT a DTML document into a
folder as the anonymous user, it's likely because the "Add Documents,
Images, and Files" permission is provided to the Anonymous User
respective to the folder.

Can you provide a specific set of steps using WebDAV that demonstrates a
subversion of your specific security policy?

- C

Antwan Reijnen wrote:
> 
> Hi All,
> 
> I have a weird security problem with my Zope installation. I'm now running
> Zope 2.3.2 on Windows98, but the problem also occurred in Zope 2.3.1.
> 
> I installed a Webfolder in my explorer, to gain access via Webdav to the
> Zope Server. It did'nt require a username/password to gain full access to
> the server... I tried to change my password from within Zope, but that
> did'nt change a thing... I can walk in, without authentication needed...!
> 
> I was worried about this, so I decided to test Webdav on some
> Windows2000/IIS5 servers on internet too, to see if they required
> authentication. And a shocking 1 out of 4 servers I tried, where completely
> open to Webdav... I could retrieve directory listings, and I also had WRITE
> privileges. Some very important, large websites contain this accesshole.
> 
> How is this possible???? How can I fix this hole in my Zope installation?
> Can I disable Webdav access completely, if there is no short term solution?
> 
> Any help is greatly appreciated.
> 
> Thanks in advance, greetings, Antwan Reijnen.
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )