SECURITY ISSUE: WebDAV listening on public IP by default! All files public available! No credential required! #363
Description
Hi,
I installed the cli on one of my Debian server (hosted at Hetzner).
I strictly followed the instructions!
I configured WebDAV and started it
internxt --version
@internxt/cli/1.5.5 linux-x64 node-v22.19.0
internxt webdav-config -h -p 3005 -t0
internxt webdav enable
Thankfully I have the habit to check for listening server after each install.
Because WebDAV was running, but not bound to the localhost (127.0.0.1) but the public IP of my server.
netstat -tulpen | grep 3005
tcp6 0 0 :::3005 :::* LISTEN 0 14946487 3256926/node /root/
I was quite shocked and immediately tested if the service is reachable from a third host
curl http://49.12.XXX.YYY:3005
<?xml version="1.0" encoding="utf-8" ?><D:error xmlns:D="DAV:"><D:responsedescription>Folders cannot be listed with GET. Use PROPFIND instead.</D:responsedescription></D:error>
So I'Ve gone a step further and included it in my rclone config of my homeserver
[ttt]
type = webdav
url = http://49.12.XXX.YYY:3005
vendor = other
and was able to use rclone WITHOUT ANY CREDENTIALS!
rclone lsd ttt:/
-1 2025-09-13 11:38:53 -1 Family
-1 2025-09-13 11:38:53 -1 Personal
-1 2025-09-19 23:47:19 -1 homeserver
-1 2025-09-19 23:44:13 -1 somepdf