[Zope] Webdav security(hole?)question.
Tim Cook
tim@freepm.org
Sat, 12 May 2001 14:49:21 -0500
Chris McDonough wrote:
>
> Hi Antwan,
> That said, I'm suspicious of the claim that via WebDAV, you're able to
> subvert the Zope security policy in any way, because it's the same one
> that's used by "normal" HTTP access. For example, if you're able to
> change the body of a DTML method via WebDAV on your site, it's likely
> because the permission "Add Documents, Images, and Files" (or perhaps
> "Change DTML Methods") is provided to the Anonymous user respective to
> the object itself. Likewise, if you can PUT a DTML document into a
> folder as the anonymous user, it's likely because the "Add Documents,
> Images, and Files" permission is provided to the Anonymous User
> respective to the folder.
>
> Can you provide a specific set of steps using WebDAV that demonstrates a
> subversion of your specific security policy?
I also am suspicious. I have not tried a MS client but did use
cadaver to test WebDav access last week and it prompted for a
password as it should.
Antwan, feel free to hit the DEMO site below and let me know if
you trash my demo <s>.
Thanks,
--
Tim Cook, President - FreePM,Inc.
http://www.FreePM.com Office: (731) 884-4126
ONLINE DEMO: http://www.freepm.org:8080/FreePM