[thelist] Windows WebDAV problem with authentication

Ken Schaefer Ken at adOpenStatic.com
Tue Sep 4 08:29:29 CDT 2007


One example is used in at least two collaboration systems that I know of (one of which is produced by Microsoft). There is a "view in Explorer mode" option for a document library. From memory (I don't have an installation handy at home) this invokes some script on the client that invokes the WebDAV provider, which displays an explorer view of a document library.

I'll have a look at this at work - I'm not 100% sure whether this entirely script based, or whether it invokes a HTTP request to which the server returns a response which invokes something on the client. But in either case, there is no user interaction.


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Hassan Schroeder
Sent: Tuesday, 4 September 2007 11:20 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Windows WebDAV problem with authentication

On 9/3/07, Ken Schaefer <Ken at adopenstatic.com> wrote:

> The issue, from what I remember, is that, say a script, running on the user's
> machine, may invoke the WebDAV provider to connect to a remote resource.
> Since the prompt will be in Explorer rather than IE, it may be that some users
> are trusting enough to think that this is a LAN resource.

"a script" -- are you talking about a script running in a browser,
loaded from an arbitrary site? Do you have any references to how
this exploit would actually work?

More information about the thelist mailing list