Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: webdav security problem

From: "Nikhil Wagholikar" <visitnikhil () gmail com>
Date: Fri, 28 Sep 2007 06:33:19 +0530
Hello Bag,

You could probably go for implementing .htaccess and .htpasswd
concepts which are provided by Apache.

By this method, only authorized users will only be able to access the
files/folders on remote web-server since they would have to
authenticate first.

More Information about .htaccess and .htpasswd:

http://blog.dreamhosters.com/kbase/index.cgi?area=3083
http://www.cgi-interactive-uk.com/htaccess.html
http://www.reallylinux.com/docs/htaccess.shtml

--
Nikhil Wagholikar
Information Security Analyst
NII Consulting
Web: http://www.niiconsulting.com


On 27 Sep 2007 02:29:04 -0000, bag () oksofar com <bag () oksofar com> wrote:

I maintain a very small office network. Some of our people work far away, and we need a way to share some of our 
files.


So I set up a webdav directory on the BSD/Apache server we are using for our website. I made a folder available as a 
subdoman (for example, common.xyz.com) and set up the necessary config file parameters for webdav in that directory. 
Our staff can now connect via an XP or OSX network connection and treat the directory as a folder on their computers.


However, I can navigate to the directory with my browser without using an ID or password. I simply navigate to 
common.xyz.com, and I see all the files that are in the directory. This was a big surprise, because users need to 
enter id/password to connect by webdav. I realized that webdav requires that GET headers must NOT require valid users 
- so any browser can get in.


So, I added an index.html file to the directory, and that effectively blocked access to the files by browser. You 
would think that this solved the problem.


But no. I discovered one day that someone had deleted the index.html file. Anyone with access to the directory can do 
that.


So I tried to set unix permissions to prevent deletion of the file. Nothing I did worked. I disabled write permission 
on the file for all users, but people could still delete it. I think that I would have to disable write permission 
for the whole directory to prevent file deletion. But that's not feasible, since my users need to delete other files.


Does anyone have any idea how I can either 1) set a rule on the file so it cannot be deleted (but the other files can 
be), or 2) keep browsers out of the directory, or 3) implement something that's more secure than webdav, but is 
simple (I don't want to do VPN, for example).


Thank you
Previous By Date Next
Previous By Thread Next

Current thread: