[thelist] Windows WebDAV problem with authentication

Ken Schaefer Ken at adOpenStatic.com
Tue Sep 4 01:49:49 CDT 2007


I'm not sure why you think that a user can only connect, using WebDAV, by using the "Network Places" folder and then manually creating a link.

The issue, from what I remember, is that, say a script, running on the user's machine, may invoke the WebDAV provider to connect to a remote resource. Since the prompt will be in Explorer rather than IE, it may be that some users are trusting enough to think that this is a LAN resource.

But hey, if you think that Microsoft just disables functionality, potentially breaking other people's applications, for no reason, then just do what you want to do. It's your users, not mine.


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Hassan Schroeder
Sent: Wednesday, 29 August 2007 12:00 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Windows WebDAV problem with authentication

On 8/27/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
> What about using some alternate authentication mechanism? Digest
> or NTLM or Kerberos spring to mind (if SSL/TLS or IPSec can not be
> used to secure the channel)

Sorry, I'm confused -- I never said anything about SSL, and it certainly
*can* be used here.  I don't see how that relates to your point about this
registry setting applying to all possible servers.

Nor do I understand how this implied deficiency would be exploited.

> > ... why would you ask your users to deliberately make their machines
> > less secure than before?
> >
> > This setting does not apply to just your server. It means that anytime
> > the user is convinced to connect to a remote server that supports
> > WebDAV they may be prompted for their credentials, which would
> > potentially be sent in clear text
> 1. ? "..convinced to connect..." ? How would that work? We're talking
>    about "Network Places" deliberately created by the user here, not
>    something accessed through a browser from, say, a link in an email.
>    How is that exploitable?
> 2. Any random Web site can "prompt for credentials" to be sent in
>    clear text -- why is that less of a threat?

More information about the thelist mailing list