Re: webdav security problem


Hi.

When WebDAV is enabled and don't limit to process PROPFIND method, you
can browse whole WebDAV enabled directory even if you place index.html
file to that folder(s).

PROPFIND method shows property of target URL, and if target URL points
collection (a special resource in WebDAV definition, see RFC2518),
resources list contained in the target URL is available as a result of
that method.

On 27 Sep 2007 02:29:04 -0000
bag@xxxxxxxxxxx wrote:
Does anyone have any idea how I can either
1) set a rule on the file so it cannot be deleted (but the other files
can be), or 2) keep browsers out of the directory, or 3) implement
something that's more secure than webdav, but is simple (I don't want
to do VPN, for example).

You can control access your directory by simply configuring to limit
except GET, OPTIONS method in your Apache configuration file.

for example:
<Location /common>
DAV on
<LimitExcept GET HEAD OPTIONS>
AuthUserFile /your/auth/passfile
AuthGroupFile /dev/null
AuthName common
AuthType Basic
Require valid-user
</LimitExcept>
</Location>

/your/auth/passfile is created by using htpasswd file.

---
宮本 久仁男 (Kunio Miyamoto) , PMP
E-mail: wakatono@xxxxxxxxxx
WebDAV Resources JP: http://webdav.todo.gr.jp/
wakatonoの戯れメモ : http://d.hatena.ne.jp/wakatono/
Microsoft MVP (Windows - Security , 2005/10 - 2007/9)