Skip Links

'WebDaV is bad,' says security researcher

Report from eEye rips into IETF protocol

By , Network World
May 05, 2011 12:01 AM ET

Network World - Should we hate WebDAV for security reasons?

Yes, says eEye Digital Security, which today focuses a wrathful gaze on WebDAV (short for "Web-based Distributed Authoring and Versioning," the IETF protocol that allows computers to edit and manage files collaboratively on remote Web-based machines). "WebDAV is bad," says eEye CTO Marc Maiffret, summing up the findings in the research report the security firm put forward today that argues no matter where it’s used, WebDAV is so bad for security, companies should make every effort to turn it off.

Cloud computing providers: Clueless about security?

Maiffret says he hopes the report will spur constructive debate about not only WebDAV, but the possibilities of using software configuration and filtering as a security defense.  The report argues that software configuration management is a critical but often overlooked security defense against hackers trying to exploit software vulnerabilities.

"A significant number of Microsoft software vulnerabilities fixed in 2010 could have been proactively mitigated by applying two simple configuration changes," states the report. "The two mitigations are the blocking of WebDAV connections and the disabling of Office file converters. Combined, these two mitigators would have prevented approximately 12% of all vulnerabilities patched by Microsoft in 2010 from easy exploitation."

The report explains WebDAV as the HTTP-based protocol predominantly used for collaboration. "WebDAV can be used internally at an organization for document management, editing, etc. it can also be used for activities such as content publishing, where an organization's marketing department, for example, is empowered to make website updates themselves."

But eEye argues that WebDAV has become too useful to hackers. "Due to the high number of exploits that require a distribution method such as WebDAV to work, the eEye Reseach Team recommends that measures are put in place to disable WebDAV."

The report adds that though WebDAV has been around for quite a while, and the abuse of it by hackers has been known, the stakes rose last August when a vulnerability called "DLL Hijacking" became widely discussed.

"Attackers can store a malicious version of a DLL file in the WebDAV share however, and upon convincing the user to open a perfectly harmless and legitimate file, execute code under the context of that user," the report points out. "Because of the nature of that vulnerability, it could not be patched by Microsoft without breaking a multitude of third-party applications in the process. It was up to third-party developers to patch their software individually."

It would be "guesswork" to try and come up with "every possible DLL Hijacking scenario within all third-party applications," the report notes. "Because of this fact, we would like to underscore the importance of disabling WebDAV, not only for Microsoft software vulnerabilities, but also third-party applications."

Another finding by security researchers last year contributed to eEye's admonition. The report notes researcher Tavis Ormandy in April 2010 released information about a vulnerability in the Java Development Toolkit that concerned insufficient parameter validation which allowed an attacker to run arbitrary commands under the context of the logged in user.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News