[Info-vax] HTTP and HTML File Upload Basics
Arne Vajhøj
arne at vajhoej.dk
Sat Oct 24 19:49:08 EDT 2020
On 10/23/2020 11:31 PM, Phillip Helbig (undress to reply) wrote:
> In article <rmvt81$1n3a$1 at gioia.aioe.org>, =?UTF-8?Q?Arne_Vajh=c3=b8j?=
> <arne at vajhoej.dk> writes:
>> On 10/23/2020 10:07 AM, Phillip Helbig (undress to reply) wrote:
>>> In article <rmuluj$ch$2 at dont-email.me>,
>>> =?UTF-8?Q?Jan-Erik_S=c3=b6derholm?= <jan-erik.soderholm at telia.com>
>>> writes:
>>>> But even so, it is not hard to make a public web interface to
>>>> a VMS box secure. It is not like letting everyone have an open
>>>> interface to DCL.
>>>
>>> Right. Run the server on an account with no privileges and, if you
>>> wish, have password-protected pages. These can use the SYSUAF and
>>> produce VMS intrusions in case of problems, which you can tailor to
>>> taste. Let it use a disk used by nothing else. Adjust process priority
>>> and quotas. Run HTTPs if you wish.
>>
>> If you allow any type of upload and you are not careful, then
>> you can still get into big problems with a no priv setup.
>
> Consider the setup described above: to do an upload, I need an account
> on the system, and guessing the password wrongly will create intrusions.
> Once I'm logged in, I can upload something, but at worst I can fill up a
> disk used by nothing else.
If the non priviliged server account has write access to
the content, then you need to prevent content from
being modified.
> The uploaded file lands on a disk not
> visible to the web server.
Which helps with security..
Arne
More information about the Info-vax
mailing list