[5051] in WWW Security List Archive
Re: WWW/CGI Security Concerns w/ File Upload
daemon@ATHENA.MIT.EDU (tk)
Sun Apr 13 06:43:58 1997
Date: Sun, 13 Apr 1997 00:51:25 -0800
To: www-security@ns2.rutgers.edu
From: tk@alliancestudio.com (tk)
Errors-To: owner-www-security@ns2.rutgers.edu
Hmmm..
I just realized that you could be talking about regular FTP uploading,
implemented through Netscape. If that's the case, you have to create an
anonymous FTP upload directory. In terms of security, you should look into
security concerns related to the FTP server you are using. E.g. if you are
using wu-ftp on a UNIX box, there are some instructions on how to implement
this at:
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config
Good luck,
Troy
>I have a question for those of you who know the Apache web server. I
>am working on a listing of resumes for students in my college which will
>be searchable via a cgi search engine.. As part of this, I would like to
>allow students to upload a copy of their resume using the Netscape file
>upload features but want to make sure that all SSIs and cgi access in that
>directory is turned off..
>
>1. If this gets inserted into the access.conf file will it turn off all
>of the options that I want in that directory...
>
><Directory /home/webhome/{resume_directory}>
>Options None
></Directory>
>
>or could I give myself the ability to change these options with .htaccess
>by putting this in the access.conf
>
><Directory /home/webhome/{resume_directory}>
>AllowOverride Options
></Directory>
>
>and putting a .htaccess file in the directory containing
>
>Options None
>
>Are my interpretations of the Apache docs & configurations correct in
>these instances..
>
>
>2. Alternatively, because I don't have direct access to root.. Does
>anyone have any suggestions to what I should search for when uploading the
>files.. I know to remove any the SSIs and not let them download to a file
>name that is mapped to a Handler.. Any other suggestions for possible
>malicious coding...
>
>Thanks for your time..
>
>Matthew Petteys
>mpettey@bgnet.bgsu.edu
Troy Korjuslommi ALLIANCE STUDIO [WEST]
Technical Director/Webmaster http://www.alliancestudio.com/
e. tk@alliancestudio.com ph. (310) 458-0884
fx. (310) 395-5741
* * * LAUNCHED APRIL 3RD, 1997 * * *
S T A R L I G H T F O U N D A T I O N
- - Benefiting over 42,000 children each month - - http://www.starlight.org - -
