Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: webdav security problem

From: Nick Owen <nickowen () mindspring com>
Date: Thu, 27 Sep 2007 10:32:51 -0400
bag () oksofar com wrote:

I maintain a very small office network. Some of our people work far
away, and we need a way to share some of our files.

So I set up a webdav directory on the BSD/Apache server we are using
for our website. I made a folder available as a subdoman (for
example, common.xyz.com) and set up the necessary config file
parameters for webdav in that directory. Our staff can now connect
via an XP or OSX network connection and treat the directory as a
folder on their computers.

However, I can navigate to the directory with my browser without
using an ID or password. I simply navigate to common.xyz.com, and I
see all the files that are in the directory. This was a big surprise,
because users need to enter id/password to connect by webdav. I
realized that webdav requires that GET headers must NOT require valid
users - so any browser can get in.

So, I added an index.html file to the directory, and that effectively
blocked access to the files by browser. You would think that this
solved the problem.

But no. I discovered one day that someone had deleted the index.html
file. Anyone with access to the directory can do that.

So I tried to set unix permissions to prevent deletion of the file.
Nothing I did worked. I disabled write permission on the file for all
users, but people could still delete it. I think that I would have to
disable write permission for the whole directory to prevent file
deletion. But that's not feasible, since my users need to delete
other files.

Does anyone have any idea how I can either 1) set a rule on the file
so it cannot be deleted (but the other files can be), or 2) keep
browsers out of the directory, or 3) implement something that's more
secure than webdav, but is simple (I don't want to do VPN, for
example).

Thank you


Check your apache httpd.conf file. That is where webdav access is
controlled. A while back, I wrote a how-to on webdav, ssl & two-factor
authentication.  While you probably don't need the latter, the steps for
the first two may help you:

http://www.howtoforge.com/webdav_with_ssl_and_two_factor_authentication

nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid
Previous By Date Next
Previous By Thread Next

Current thread: