Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: webdav security problem

from [Nikhil Wagholikar] Network Security [Permanent Link]
Subject: Re: webdav security problem
Date: Fri, 28 Sep 2007 06:33:19 +0530 
Hello Bag,

You could probably go for implementing .htaccess and .htpasswd
concepts which are provided by Apache.

By this method, only authorized users will only be able to access the
files/folders on remote web-server since they would have to
authenticate first.

More Information about .htaccess and .htpasswd:

http://blog.dreamhosters.com/kbase/index.cgi?area=3083
http://www.cgi-interactive-uk.com/htaccess.html
http://www.reallylinux.com/docs/htaccess.shtml

--
Nikhil Wagholikar
Information Security Analyst
NII Consulting
Web: http://www.niiconsulting.com


On 27 Sep 2007 02:29:04 -0000, bag@oksofar.com <bag@oksofar.com> wrote:

I maintain a very small office network. Some of our people work far away, and 
we need a way to share some of our files.


So I set up a webdav directory on the BSD/Apache server we are using for our 
website. I made a folder available as a subdoman (for example, 
common.xyz.com) and set up the necessary config file parameters for webdav in 
that directory. Our staff can now connect via an XP or OSX network connection 
and treat the directory as a folder on their computers.


However, I can navigate to the directory with my browser without using an ID 
or password. I simply navigate to common.xyz.com, and I see all the files 
that are in the directory. This was a big surprise, because users need to 
enter id/password to connect by webdav. I realized that webdav requires that 
GET headers must NOT require valid users - so any browser can get in.


So, I added an index.html file to the directory, and that effectively blocked 
access to the files by browser. You would think that this solved the problem.


But no. I discovered one day that someone had deleted the index.html file. 
Anyone with access to the directory can do that.


So I tried to set unix permissions to prevent deletion of the file. Nothing I 
did worked. I disabled write permission on the file for all users, but people 
could still delete it. I think that I would have to disable write permission 
for the whole directory to prevent file deletion. But that's not feasible, 
since my users need to delete other files.


Does anyone have any idea how I can either 1) set a rule on the file so it 
cannot be deleted (but the other files can be), or 2) keep browsers out of 
the directory, or 3) implement something that's more secure than webdav, but 
is simple (I don't want to do VPN, for example).


Thank you
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Full Disk Encryption, Digital Signatures and enterprise Data Analysis and Transactional Auditing (eDATA), Bob Beringer
Next by Date:  which routing attacks are possible, itsec . info
Previous by Thread:  Re: webdav security problem, Kunio Miyamoto
Next by Thread:  Re: webdav security problem, krymson
Indexes:  [Date] [Thread] [Top] [All Lists]