The DAV component in Chandler Server (Cosmo) before 0.10.1 does not check resource creation permissions, which allows remote authenticated users to create arbitrary resources in another user's home collection.