Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: webdav security problem

from [Nick Owen] Network Security [Permanent Link]
Subject: Re: webdav security problem
Date: Thu, 27 Sep 2007 10:32:51 -0400 
bag@oksofar.com wrote:

I maintain a very small office network. Some of our people work far
away, and we need a way to share some of our files.

So I set up a webdav directory on the BSD/Apache server we are using
for our website. I made a folder available as a subdoman (for
example, common.xyz.com) and set up the necessary config file
parameters for webdav in that directory. Our staff can now connect
via an XP or OSX network connection and treat the directory as a
folder on their computers.

However, I can navigate to the directory with my browser without
using an ID or password. I simply navigate to common.xyz.com, and I
see all the files that are in the directory. This was a big surprise,
because users need to enter id/password to connect by webdav. I
realized that webdav requires that GET headers must NOT require valid
users - so any browser can get in.

So, I added an index.html file to the directory, and that effectively
blocked access to the files by browser. You would think that this
solved the problem.

But no. I discovered one day that someone had deleted the index.html
file. Anyone with access to the directory can do that.

So I tried to set unix permissions to prevent deletion of the file.
Nothing I did worked. I disabled write permission on the file for all
users, but people could still delete it. I think that I would have to
disable write permission for the whole directory to prevent file
deletion. But that's not feasible, since my users need to delete
other files.

Does anyone have any idea how I can either 1) set a rule on the file
so it cannot be deleted (but the other files can be), or 2) keep
browsers out of the directory, or 3) implement something that's more
secure than webdav, but is simple (I don't want to do VPN, for
example).

Thank you


Check your apache httpd.conf file. That is where webdav access is
controlled. A while back, I wrote a how-to on webdav, ssl & two-factor
authentication.  While you probably don't need the latter, the steps for
the first two may help you:

http://www.howtoforge.com/webdav_with_ssl_and_two_factor_authentication

nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Teaching Security+ Book, Neil Presser
Next by Date:  RE: Internet usage and monitoring, James Harless
Previous by Thread:  webdav security problem, bag
Next by Thread:  Re: webdav security problem, Kunio Miyamoto
Indexes:  [Date] [Thread] [Top] [All Lists]