Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: webdav security problem

From: Kunio Miyamoto <wakatono () todo gr jp>
Date: Fri, 28 Sep 2007 00:04:07 +0900

Hi.

 When WebDAV is enabled and don't limit to process PROPFIND method, you
can browse whole WebDAV enabled directory even if you place index.html
file to that folder(s).

 PROPFIND method shows property of target URL, and if target URL points
collection (a special resource in WebDAV definition, see RFC2518),
resources list contained in the target URL is available as a result of
that method.

On 27 Sep 2007 02:29:04 -0000
bag () oksofar com wrote:

Does anyone have any idea how I can either
1) set a rule on the file so it cannot be deleted (but the other files
can be), or 2) keep browsers out of the directory, or 3) implement
something that's more secure than webdav, but is simple (I don't want
to do VPN, for example).


 You can control access your directory by simply configuring to limit
except GET, OPTIONS method in your Apache configuration file.

for example:
     <Location /common>
       DAV on
      <LimitExcept GET HEAD OPTIONS>
        AuthUserFile    /your/auth/passfile
        AuthGroupFile   /dev/null
        AuthName        common
        AuthType        Basic
        Require valid-user
      </LimitExcept>
     </Location>

/your/auth/passfile is created by using htpasswd file.

---
宮本 久仁男 (Kunio Miyamoto) , PMP 
E-mail: wakatono () todo gr jp
WebDAV Resources JP: http://webdav.todo.gr.jp/ 
wakatonoの戯れメモ     : http://d.hatena.ne.jp/wakatono/
Microsoft MVP (Windows - Security , 2005/10 - 2007/9)
Previous By Date Next
Previous By Thread Next

Current thread: