[Info-vax] HTTP and HTML File Upload Basics
Phillip Helbig undress to reply
helbig at asclothestro.multivax.de
Fri Oct 23 23:31:03 EDT 2020
In article <rmvt81$1n3a$1 at gioia.aioe.org>, =?UTF-8?Q?Arne_Vajh=c3=b8j?=
<arne at vajhoej.dk> writes:
> On 10/23/2020 10:07 AM, Phillip Helbig (undress to reply) wrote:
> > In article <rmuluj$ch$2 at dont-email.me>,
> > =?UTF-8?Q?Jan-Erik_S=c3=b6derholm?= <jan-erik.soderholm at telia.com>
> > writes:
> >> But even so, it is not hard to make a public web interface to
> >> a VMS box secure. It is not like letting everyone have an open
> >> interface to DCL.
> >
> > Right. Run the server on an account with no privileges and, if you
> > wish, have password-protected pages. These can use the SYSUAF and
> > produce VMS intrusions in case of problems, which you can tailor to
> > taste. Let it use a disk used by nothing else. Adjust process priority
> > and quotas. Run HTTPs if you wish.
>
> If you allow any type of upload and you are not careful, then
> you can still get into big problems with a no priv setup.
Consider the setup described above: to do an upload, I need an account
on the system, and guessing the password wrongly will create intrusions.
Once I'm logged in, I can upload something, but at worst I can fill up a
disk used by nothing else. The uploaded file lands on a disk not
visible to the web server.
More information about the Info-vax
mailing list