webdav security problem
- From: bag@xxxxxxxxxxx
- Date: 27 Sep 2007 02:29:04 -0000
I maintain a very small office network. Some of our people work far away, and we need a way to share some of our files.
So I set up a webdav directory on the BSD/Apache server we are using for our website. I made a folder available as a subdoman (for example, common.xyz.com) and set up the necessary config file parameters for webdav in that directory. Our staff can now connect via an XP or OSX network connection and treat the directory as a folder on their computers.
However, I can navigate to the directory with my browser without using an ID or password. I simply navigate to common.xyz.com, and I see all the files that are in the directory. This was a big surprise, because users need to enter id/password to connect by webdav. I realized that webdav requires that GET headers must NOT require valid users - so any browser can get in.
So, I added an index.html file to the directory, and that effectively blocked access to the files by browser. You would think that this solved the problem.
But no. I discovered one day that someone had deleted the index.html file. Anyone with access to the directory can do that.
So I tried to set unix permissions to prevent deletion of the file. Nothing I did worked. I disabled write permission on the file for all users, but people could still delete it. I think that I would have to disable write permission for the whole directory to prevent file deletion. But that's not feasible, since my users need to delete other files.
Does anyone have any idea how I can either 1) set a rule on the file so it cannot be deleted (but the other files can be), or 2) keep browsers out of the directory, or 3) implement something that's more secure than webdav, but is simple (I don't want to do VPN, for example).