[Zope] Disabling anonymous webdav access

Ivo van der Wijk ivo@amaze.nl
Wed, 16 May 2001 12:21:03 +0200 

Hi All,

As someone pointed out on #zope, it is possible to view folder contents
using a webdav client as an anonymous user.

I.e. download cadaver (http://www.webdav.org/cadaver/), open 
yourzopeserver:8080 and do ls. Then decide if you want anyone to be 
able to access this. Eventhough hiding this information may be security
by obscurity, there are some things you just don't want everyone to see.

This allows you to see, for example, the installed products on the server.
A hacker might use this knowledge to exploit some known bug in a zope product
if one exists.

Most people (like me) probably think it's harmless to let old
objects, documents etc linger around as you can't view them in listings
through ftp or http. They don't realize webdav is running by default. Actually,
it can't even be disabled! (z2.py -X -w80 won't do the trick!)

Personally I'd rather see this secured. It's not possible to disable 
'view contents information' for anonymous users in zope, as this will ruin
your entire site (all anonymous access will then be disabled), so the solution
would be to create a new permission for access contents through webdav.

And that's what the following (trivial) patch does. 

After applying you'll get a new permission in your security tab, which 
is set to manager by default. To get the old behaviour back, just set the
permission back to anonymous.

Apply it using patch -p1 ../webdav.patch in your SOFTWARE_HOME (i.e. the 
Zope-2.3.2-src dir).

Or just edit lib/python/webdav/Resource.py by hand :)

I've tested it with Zope 2.3.2, I can't guarantee it will work with other
versions (use at your own risk anyway).

-- cut here --
*** Zope-2.3.2-orig/lib/python/webdav/Resource.py       Tue Mar 27 21:50:37 2001
--- Zope-2.3.2-src/lib/python/webdav/Resource.py        Mon May 14 19:16:46 2001
***************
*** 109,115 ****
  
      __ac_permissions__=(
          ('View',                             ('HEAD',)),
!         ('Access contents information',      ('PROPFIND',)),
          ('Manage properties',                ('PROPPATCH',)),
          ('Delete objects',                   ('DELETE',)),
      )
--- 109,115 ----
  
      __ac_permissions__=(
          ('View',                             ('HEAD',)),
!         ('Access contents information through WebDav',      ('PROPFIND',)),
          ('Manage properties',                ('PROPPATCH',)),
          ('Delete objects',                   ('DELETE',)),
      )
-- cut here --

Cheers,

	Ivo

-- 
Drs. I.R. van der Wijk                              -=-
Brouwersgracht 132                      Amaze Internet Services V.O.F.
1013 HA Amsterdam                                   -=-
Tel: +31-20-4688336                          Linux/Web/Zope/SQL
Fax: +31-20-4688337                           Network Solutions
Web:     http://www.amaze.nl/                    Consultancy
Email:   ivo@amaze.nl                               -=-