- From: Yves Lafon <ylafon@w3.org>
- Date: Tue, 21 Aug 2001 19:05:01 +0200 (MET DST)
- To: Milum Software <shayes@milum.com>
- cc: <www-jigsaw@w3.org>
On Tue, 21 Aug 2001, Milum Software wrote:
> I'm using Jigsaw version 2.0.5 server on Windows 98 and NT and when I use
> the Jigsaw realm authentication it works fine as long as the user uses an
> upper case letter for the directory I need to authorize access to.
>
> On my server I have a directory "Calendars" full path would be
> "http://192.168.1.7/Calendars" that I have set to request authorization
> before allowing a user to browse to the directory. This works great except
> if the user types a lower case "calendar" "http://192.168.1.7/calendars"
> which lets the user in with out authorization. If anyone could give me any
> info on this problem it would be great. This is a big security hole for us.
It happens because Windows is not case sensitive to access directories, go
to Properties->General then set "Check Sensitivity" to false.
It should fix this problem.
Note that in your example a distinct container "calendars" has been
created, so you need to remove it before.
There was also a similar problem ("backdoor" to access a protected
resource) but due to another thing, involving content-negotiation, for
this you can try to use a zip available from
http://jigsaw.w3.org/Devel/classes-2.0/20010821/jigsaw.zip
(I just backported what is in 2.1).
--
Yves Lafon - W3C
"Baroula que barouleras, au tiéu toujou t'entourneras."
Received on Tuesday, 21 August 2001 13:05:06 UTC