On 3 Nov 2015, at 14:19, David M. Lloyd wrote:
I'm pretty sure that if an attacker has permission to upload
to the server, they already essentially have control over the server.
Well, uploads can be remotely, so this can be seen as a DOS
attack vector that does not necessarily require privileges
for (physical) access like (remote) shell.
And then I recall there being the zip bombs where a very small
file would unzip to a huge one. This is probably nothing that
could be caught by limiting the size of the upload.
Do we know if WF continues to work when e.g. the partition for
log files or other data is full?
Reg. Adresse: Red Hat GmbH, Technopark II, Haus C,
Werner-von-Siemens-Ring 14, D-85630 Grasbrunn
Handelsregister: Amtsgericht München HRB 153243
Geschäftsführer: Charles Cachera, Michael Cunningham, Paul Hickey, Charlie Peters