On 11/03/2015 07:30 AM, Heiko W.Rupp wrote:
On 3 Nov 2015, at 14:19, David M. Lloyd wrote:
> I'm pretty sure that if an attacker has permission to upload deployments
> to the server, they already essentially have control over the server.
Well, uploads can be remotely, so this can be seen as a DOS
attack vector that does not necessarily require privileges
for (physical) access like (remote) shell.
It does require permissions within our security framework though. I'm
reasonably sure we're not letting anonymous users upload arbitrary data
to the server without authorization checks.
And then I recall there being the zip bombs where a very small
file would unzip to a huge one. This is probably nothing that
could be caught by limiting the size of the upload.
Sure, but this is only one of many possible attacks that you can perform
if you have the ability to upload deployments to the server. Even with
a locked down security manager I would never recommend running untrusted
Java code on a server that isn't itself isolated and/or protected at an