Guest can destroy the whole Gallery in less than 2 seconds via WebDAV
|
belinea
Joined: 2003-12-29
Posts: 49 |
Posted: Sun, 2007-01-14 02:19
|
|
Guest can mount the Gallery via WebDAV. A Guest can also delete Items via WebDAV. If a guest marks all albums and press the delete key your Gallery is fully destroyed. |
|
Posts: 32509
only if they have delete permission.
it's the same as if they browsed to your gallery and delete an album.
just don't give the everybody group the delete permission, that's crazy.
--------------
Enter the Gallery 2 Theme Contest today!
Posts: 49
Guest can only VIEW Items in my Gallery. They can´t upload Items and they can´t delete items.
But via WebDAV guest have all permissions. They can upload items, rename items and delete Items.
Posts: 32509
I guess you tested that yourself. Or did a guest report that to you?
In case you tested it yourself, are you sure you were acting as guest?
Most WebDAV client programs authenticate via HTTPauth. In case you were using the built-in Windows WebDAV client using Windows Explorer, it could have shared the HTTPauth with your Internet Explorer. So if you either were logged into your G2 with IE or actually through the WebDAV client directly, it would act as the logged in user and not as guest.
--------------
Enter the Gallery 2 Theme Contest today!
Posts: 49
Ahhhhh.
You´re right: I have tested it on my machine. A guest from another computer cannot delete items. Puuuh
But even when I log out forum the gallery i have fully access via WebDAV to the Gallery. Is it possible to logout myself in the IE WebDAV Client?
Many thanks for your help.
Posts: 49
I have disabled "Use HTTP Authentication". Now everything is running fine. When I log me out from gallery I´m also logged out from the WebDAV client.
Posts: 32509
It depends on your exact G2 / httpauth module version. But logout should also logout from httpauth.
It should work since httpauth v0.5.0.
--------------
Enter the Gallery 2 Theme Contest today!
Posts: 49
I have "HTTP Auth 0.5.0" from G2 RC1 installed.