[Info-vax] Using VMS for a web server

[Jan-Erik Soderholm]

Simon Clubley skrev den 2015-06-10 02:32:
> On 2015-06-09, Jan-Erik Soderholm <jan-erik.soderholm at telia.com> wrote:
>>
>> OK. That needs a script called wawalo.php already beeing on the server
>> in a directory where the server can execute it. The exploit is realy
>> to be able to upload the wawalo.php file in the first place.
>>
>
> Actually what I read it as was that a PHP script installed for a
> legitimate purpose on the server (as part of, say, a PHP application)
> had a vulnerability which allowed attacker controlled commands to
> be executed.

OK. I read that a file wawalo.jpg was first uploaded, then renamed
into .php and finaly executed. The only purpose of this file was
to exloit this PHP "feature", as I understood.

But yes, it might also have been a file that was part
of some application...


>
>> If you have a server setup where someone can both upload a random
>> file and then also execute that file just like that frm the same
>> directory, you have a severe problem.
>>
>> Now, is this a "hole in PHP"? Or could the same thing be done
>> using any tool that can take an input parameter and execute it?
>>
>
> In this case, I think I would class this as a PHP application
> vulnerability and not a PHP vulnerability itself.
>
> However, speaking as someone who has actually written PHP code, the
> negative reputation the language itself has in some quarters is well
> justified.

Right, I'm in no way defending PHP as such! It's just that this
was used as an argument against having a web server on VMS. You
can have that without PHP, if you like.

I'm not even sure that that exploit would work on VMS where
the scripting processes usualy runs in a restricted user
context.




>
> Simon.
>