Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: webdav security problem

from [Kunio Miyamoto] Network Security [Permanent Link]
Subject: Re: webdav security problem
Date: Fri, 28 Sep 2007 00:04:07 +0900 

Hi.

 When WebDAV is enabled and don't limit to process PROPFIND method, you
can browse whole WebDAV enabled directory even if you place index.html
file to that folder(s).

 PROPFIND method shows property of target URL, and if target URL points
collection (a special resource in WebDAV definition, see RFC2518),
resources list contained in the target URL is available as a result of
that method.

On 27 Sep 2007 02:29:04 -0000
bag@oksofar.com wrote:

Does anyone have any idea how I can either
1) set a rule on the file so it cannot be deleted (but the other files
can be), or 2) keep browsers out of the directory, or 3) implement
something that's more secure than webdav, but is simple (I don't want
to do VPN, for example).


 You can control access your directory by simply configuring to limit
except GET, OPTIONS method in your Apache configuration file.

for example:
     <Location /common>
       DAV on
      <LimitExcept GET HEAD OPTIONS>
        AuthUserFile    /your/auth/passfile
        AuthGroupFile   /dev/null
        AuthName        common
        AuthType        Basic
        Require valid-user
      </LimitExcept>
     </Location>

/your/auth/passfile is created by using htpasswd file.

---
宮本 久仁男 (Kunio Miyamoto) , PMP 
E-mail: wakatono@todo.gr.jp
WebDAV Resources JP: http://webdav.todo.gr.jp/ 
wakatonoの戯れメモ     : http://d.hatena.ne.jp/wakatono/
Microsoft MVP (Windows - Security , 2005/10 - 2007/9)
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: traffic creation, p1g
Next by Date:  Re: Internet usage and monitoring, p1g
Previous by Thread:  Re: webdav security problem, Nick Owen
Next by Thread:  Re: webdav security problem, Nikhil Wagholikar
Indexes:  [Date] [Thread] [Top] [All Lists]