Re: webdav security problem
- From: "Nikhil Wagholikar" <visitnikhil@xxxxxxxxx>
- Date: Fri, 28 Sep 2007 06:33:19 +0530
Hello Bag,
You could probably go for implementing .htaccess and .htpasswd
concepts which are provided by Apache.
By this method, only authorized users will only be able to access the
files/folders on remote web-server since they would have to
authenticate first.
More Information about .htaccess and .htpasswd:
http://blog.dreamhosters.com/kbase/index.cgi?area=3083
http://www.cgi-interactive-uk.com/htaccess.html
http://www.reallylinux.com/docs/htaccess.shtml
--
Nikhil Wagholikar
Information Security Analyst
NII Consulting
Web: http://www.niiconsulting.com
On 27 Sep 2007 02:29:04 -0000, bag@xxxxxxxxxxx <bag@xxxxxxxxxxx> wrote:
I maintain a very small office network. Some of our people work far away, and we need a way to share some of our files.
So I set up a webdav directory on the BSD/Apache server we are using for our website. I made a folder available as a subdoman (for example, common.xyz.com) and set up the necessary config file parameters for webdav in that directory. Our staff can now connect via an XP or OSX network connection and treat the directory as a folder on their computers.
However, I can navigate to the directory with my browser without using an ID or password. I simply navigate to common.xyz.com, and I see all the files that are in the directory. This was a big surprise, because users need to enter id/password to connect by webdav. I realized that webdav requires that GET headers must NOT require valid users - so any browser can get in.
So, I added an index.html file to the directory, and that effectively blocked access to the files by browser. You would think that this solved the problem.
But no. I discovered one day that someone had deleted the index.html file. Anyone with access to the directory can do that.
So I tried to set unix permissions to prevent deletion of the file. Nothing I did worked. I disabled write permission on the file for all users, but people could still delete it. I think that I would have to disable write permission for the whole directory to prevent file deletion. But that's not feasible, since my users need to delete other files.
Does anyone have any idea how I can either 1) set a rule on the file so it cannot be deleted (but the other files can be), or 2) keep browsers out of the directory, or 3) implement something that's more secure than webdav, but is simple (I don't want to do VPN, for example).
Thank you
- References:
- webdav security problem
- From: bag
- webdav security problem
- Prev by Date: RE: Full Disk Laptop Encryption
- Next by Date: RE: Full Disk Encryption, Digital Signatures and enterprise Data Analysis and Transactional Auditing (eDATA)
- Previous by thread: Re: webdav security problem
- Next by thread: Re: webdav security problem
- Index(es):
Relevant Pages
|
