WebDAV Software Apache and moddav. moddav provides the DAV support. Installed on about 250k (public) sites. De facto reference implementation – Class 1 and class 2 – Extensions for versioning – Experimental code for binding, DASL.
![Apache 2.4 webdav Apache 2.4 webdav](http://rus-linux.net/MyLDP/server/owncloud-img/owncloud-webdav.png)
Security Issues
Since DAV access methods allow remote clients to manipulate files on the server, you must take particular care to assure that your server is secure before enabling
mod_dav
.Any location on the server where DAV is enabled should be protected by authentication. The use of HTTP Basic Authentication is not recommended. You should use at least HTTP Digest Authentication, which is provided by the
mod_auth_digest
module. Nearly all WebDAV clients support this authentication method. An alternative is Basic Authentication over an SSL enabled connection.In order for
mod_dav
to manage files, it must be able to write to the directories and files under its control using the User
and Group
under which Apache is running. New files created will also be owned by this User
and Group
. For this reason, it is important to control access to this account. The DAV repository is considered private to Apache; modifying files outside of Apache (for example using FTP or filesystem-level tools) should not be allowed.mod_dav
may be subject to various kinds of denial-of-service attacks. The LimitXMLRequestBody
directive can be used to limit the amount of memory consumed in parsing large DAV requests. The DavDepthInfinity
directive can be used to prevent PROPFIND
requests on a very large repository from consuming large amounts of memory. Another possible denial-of-service attack involves a client simply filling up all available disk space with many large files. There is no direct way to prevent this in Apache, so you should avoid giving DAV access to untrusted users.