[thelist] Windows WebDAV problem with authentication

Hassan Schroeder hassan.schroeder at gmail.com
Tue Sep 4 08:19:40 CDT 2007

On 9/3/07, Ken Schaefer <Ken at adopenstatic.com> wrote:

> I'm not sure why you think that a user can only connect, using WebDAV, by
> using the "Network Places" folder and then manually creating a link.

Because I'm no Windows expert (nor user), and that's the only way
I've seen referenced anywhere? :-)

> The issue, from what I remember, is that, say a script, running on the user's
> machine, may invoke the WebDAV provider to connect to a remote resource.
> Since the prompt will be in Explorer rather than IE, it may be that some users
> are trusting enough to think that this is a LAN resource.

"a script" -- are you talking about a script running in a browser,
loaded from an arbitrary site? Do you have any references to how
this exploit would actually work?

Because that implies that IE's security model will let a script from
one site explicitly access any *other* random site by invoking non-
browser Windows services. Scary, if true. Still not sure why having
*no* password protection is better if we can do that already.

> But hey, if you think that Microsoft just disables functionality,
> potentially breaking other people's applications, for no reason

What I think about Microsoft isn't relevant here. :-)

One more time:  I'm trying to understand the security implications of
enabling basic auth passwords, versus /no password protection at all/,
or *other options*, if they exist.

So far all I've heard is vague and unsubstantiated generalities; if there's
any documentation of an actual exploit enabled by allowing basic auth,
or if there are any reasonable alternatives, I'd like to know.

Hassan Schroeder ------------------------ hassan.schroeder at gmail.com

More information about the thelist mailing list