[thelist] Windows WebDAV problem with authentication
Hassan Schroeder
hassan.schroeder at gmail.com
Tue Sep 4 08:19:40 CDT 2007
On 9/3/07, Ken Schaefer <Ken at adopenstatic.com> wrote:
> I'm not sure why you think that a user can only connect, using WebDAV, by
> using the "Network Places" folder and then manually creating a link.
Because I'm no Windows expert (nor user), and that's the only way
I've seen referenced anywhere? :-)
> The issue, from what I remember, is that, say a script, running on the user's
> machine, may invoke the WebDAV provider to connect to a remote resource.
> Since the prompt will be in Explorer rather than IE, it may be that some users
> are trusting enough to think that this is a LAN resource.
"a script" -- are you talking about a script running in a browser,
loaded from an arbitrary site? Do you have any references to how
this exploit would actually work?
Because that implies that IE's security model will let a script from
one site explicitly access any *other* random site by invoking non-
browser Windows services. Scary, if true. Still not sure why having
*no* password protection is better if we can do that already.
> But hey, if you think that Microsoft just disables functionality,
> potentially breaking other people's applications, for no reason
What I think about Microsoft isn't relevant here. :-)
One more time: I'm trying to understand the security implications of
enabling basic auth passwords, versus /no password protection at all/,
or *other options*, if they exist.
So far all I've heard is vague and unsubstantiated generalities; if there's
any documentation of an actual exploit enabled by allowing basic auth,
or if there are any reasonable alternatives, I'd like to know.
--
Hassan Schroeder ------------------------ hassan.schroeder at gmail.com
More information about the thelist
mailing list