Security Basics mailing list archives
Re: webdav security problem
From: Kunio Miyamoto <wakatono () todo gr jp>
Date: Fri, 28 Sep 2007 00:04:07 +0900
Hi. When WebDAV is enabled and don't limit to process PROPFIND method, you can browse whole WebDAV enabled directory even if you place index.html file to that folder(s). PROPFIND method shows property of target URL, and if target URL points collection (a special resource in WebDAV definition, see RFC2518), resources list contained in the target URL is available as a result of that method. On 27 Sep 2007 02:29:04 -0000 bag () oksofar com wrote:
Does anyone have any idea how I can either 1) set a rule on the file so it cannot be deleted (but the other files can be), or 2) keep browsers out of the directory, or 3) implement something that's more secure than webdav, but is simple (I don't want to do VPN, for example).
You can control access your directory by simply configuring to limit except GET, OPTIONS method in your Apache configuration file. for example: <Location /common> DAV on <LimitExcept GET HEAD OPTIONS> AuthUserFile /your/auth/passfile AuthGroupFile /dev/null AuthName common AuthType Basic Require valid-user </LimitExcept> </Location> /your/auth/passfile is created by using htpasswd file. --- 宮本 久仁男 (Kunio Miyamoto) , PMP E-mail: wakatono () todo gr jp WebDAV Resources JP: http://webdav.todo.gr.jp/ wakatonoの戯れメモ : http://d.hatena.ne.jp/wakatono/ Microsoft MVP (Windows - Security , 2005/10 - 2007/9)
Current thread:
- webdav security problem bag (Sep 27)
- Re: webdav security problem Nick Owen (Sep 27)
- Re: webdav security problem Kunio Miyamoto (Sep 27)
- Re: webdav security problem Nikhil Wagholikar (Sep 28)
- <Possible follow-ups>
- Re: webdav security problem krymson (Sep 27)
- Re: webdav security problem ChromeSilver (Sep 27)
- RE: webdav security problem Dan Denton (Sep 27)
- Re: webdav security problem ChromeSilver (Sep 27)