Security aspects of the PUT method (was Re: Amaya is great)

Irene.Vatton@inrialpes.fr said:
> Using http 1.1 the publishing is more secure than ftp provided that
> you request passwords for publishers.

It would be foolish not to require passwords. But even with passwords, I 
think you're a little over-optimistic here. I've been using the PUT method
with the Apache server for a few years now, and here are the problems I see 
with it:

1) the site administrator has to provide a script for the PUT method. That
   person might not be very experienced in regard to security problems and
   might therefore leave, in the PUT script, security holes. I wrote such a
   script at the time, and tried to forsee all possible problems, but I'm
   not sure I covered all possible loopholes. (for those interested, the
   script, written in Tcl, is available at
   http://cuisung.unige.ch/Gestion/put.txt

2) The directories in which users might save documents with the PUT method 
   have to be writeable by the user under which the Apache server runs. This
   is usually not a problem for the server's main directories, but is usually
   difficult to implement for users' private web space ($HOME/public_html/).
   If somebody has a solution for that one, I'd be interested in hearing from
   them.

Peace,

Bertrand Ibrahim.
--------------------------------------------
Bertrand.Ibrahim@cui.unige.ch
http://cui.unige.ch/eao/www/Bertrand.html

Received on Wednesday, 10 May 2000 09:04:21 UTC