Any demand for a new web server for VMS with a very limited feature set?

[Arne Vajhøj]

I have been playing with a new thingy for VMS.

A very simple web server based on Jetty.

Read below for a description.

Would it make sense for me to bundle it up and make it available?

Arne

----


VMS Web
Introduction

This is a VMS web server. Or maybe more accurate a VMS sub set of a web
server - as functionality is very limited.

Also note that less than 1% of the code is mine - the remaining more
than 99% of the code comes from various open source projects including
Eclipse Jetty.
What is not supported

The following features are not available:

Virtual hosts
Serving multiple directories
POST, PUT and DELETE methods
Mix of protected and unprotected pages
Directory listings
Configurable file type mapping
Configurable welcome file
Configurable caching
CGI scripts
Server Side Includes
Servlets and JSP
...
...
...

If you need those features then pick a full web server like one of:

Apache
WASD
OSU

What is supported

The following features are available:

HTTP and HTTPS on configurable ports
Serving files (only a few file extensions) from a single directory tree
Serving VMS HELP
Simple Java plugins (query string in, return object that get
converted to JSON or XML)
Ability to optionally to require VMS login to everything (not HTTP
- only HTTPS)

Why would anyone choose such a feature poor product?

Sometimes a simpler product is better. Reasons:

Easy install, easy config and easy run. Install is two unzips.
There is no config at all (yes - no config file). Run is @setup and a
command line. You want it running in the background? Submit a batch job
with the same two lines!
Probably better security. The very limited functionality also
limits attack possiblities. The implementation was made to make exploits
difficult. The code base is so small that it should be easy to review
for vulnerabilities.

Install:

To install simply:

install and setup the VMSCALL package (needed for login and VMS
help functionality)
unzip vmsweb.zip
unzip -aa temp.zip

Run:

To run simply:

@setup
runserver [option] ... [option[

Options:

http <port>
process HTTP requests on specified port
https <port> <JKS file> <passphrase>
process HTTPs requests on specified port using certificate from JKS
file
file <dir>
serve files from specified directory tree at context /
jsonapi
serve Java plugins returning JSON at context /jsonapi
xmlapi
serve Java plugins returning XML at context /xmlapi
help
serve VMS HELP at context /help
login
require VMS login for all requests

Examples:

runserver http 8001 file /disk2/arne/www
listen for HTTP on port 8001 and serve files in DISK2:[ARNE.WWW]
runserver http 8001 https 8002 arne.jks topsecret file /disk2/arne/www
listen for HTTP on port 8001, HTTPS on port 8002 and serve files in
DISK2:[ARNE.WWW]
runserver https 8002 arne.jks topsecret file /disk2/arne/www login
listen for HTTPS on port 8002, serve files in DISK2:[ARNE.WWW] and
require VMS login
runserver http 8001 help
listen for HTTP on port 8001 and serve VMS HELP
runserver http 8001 jsonapi
listen for HTTP on port 8001 and serve plugins returning JSON

[Richard Maher]

On 19-Aug-17 8:27 AM, Arne Vajhøj wrote:
> I have been playing with a new thingy for VMS.
>
> A very simple web server based on Jetty.
>
> Read below for a description.
>
> Would it make sense for me to bundle it up and make it available?
>
> Arne

I would be interested in knowing if the now Microsoft run Mono project
means IIS-lite on VMS is feasible.

[Arne Vajhøj]

On 8/18/2017 8:47 PM, Richard Maher wrote:
> On 19-Aug-17 8:27 AM, Arne Vajhøj wrote:
>> I have been playing with a new thingy for VMS.
>>
>> A very simple web server based on Jetty.
>>
>> Read below for a description.
>>
>> Would it make sense for me to bundle it up and make it available?
>

> I would be interested in knowing if the now Microsoft run Mono project
> means IIS-lite on VMS is feasible.

That does not really relate. But ...

If Mono, mod_mono and mod-mono-server are all ported
to VMS, then you will be able to run ASP.NET on VMS.

I think the work required will be significant. And
I doubt that it will happen.

Arne

[Hans Vlems]

Arne, how do I get a kit?
My email is hvlems (at) zonnet (dot) nl
Hans

[ultr...@gmail.com]

WHY DON'T YOU UPGRADE THE SSL IN PURVEYOR, THEN YOU WOULD
HAVE A SUPERIOR PRODUCT FOR OPENVMS.

[Jan-Erik Soderholm]

Den 2017-08-19 kl. 02:27, skrev Arne Vajhøj:
> I have been playing with a new thingy for VMS.
>
> A very simple web server based on Jetty.
>

This requires Java, not? I'd like to see the footprint
of that server running.

> Read below for a description.
>
> Would it make sense for me to bundle it up and make it available?
>

Well, why not? Maybe for simple tasks, but I guess the Java requirement
might be an issue for some that either do not have Java installed
or doesn't like Java at all... :-)

Jan-Erik.

> Arne
>
> ----

[Jan-Erik Soderholm]

Den 2017-08-19 kl. 12:59, skrev ultr...@gmail.com:

> WHY DON'T YOU UPGRADE THE SSL IN PURVEYOR, THEN YOU WOULD
> HAVE A SUPERIOR PRODUCT FOR OPENVMS.

Besides of the humor in the post as such, you might want to
get a new keyboard where the shift key isn't stuck.

[Simon Clubley]

You would also have to make sure that any security vulnerabilities
present in an older version of Java were not made available through
the web server in some way.

IOW, you would probably need to make sure that the underlying Java
version on VMS was kept up to date with the normal Java version in
order to try and protect against this.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

[Arne Vajhøj]

On 8/19/2017 7:14 AM, Jan-Erik Soderholm wrote:
> Den 2017-08-19 kl. 02:27, skrev Arne Vajhøj:
>> I have been playing with a new thingy for VMS.
>>
>> A very simple web server based on Jetty.
>
> This requires Java, not?

Correct.

> I'd like to see the footprint
> of that server running.

Very good point.

Java applications usually require a lot more memory than
traditional VMS applications.

I run it with -Xmx512m.

And a quick test as batch job showed:

00000433 BATCH_3 HIB 6 5043 0 00:00:26.77 10062
6430 MB

and:

Accounting information:
Buffered I/O count: 2178 Peak working set size:
103072
Direct I/O count: 3157 Peak virtual size:
430400
Page faults: 10143 Mounted volumes:
0
Charged CPU time: 0 00:00:27.03 Elapsed time: 0
00:02:18.52

which I think means that it guzzles 50-60 MB of RAM.

>> Read below for a description.
>>
>> Would it make sense for me to bundle it up and make it available?
>
> Well, why not? Maybe for simple tasks, but I guess the Java requirement
> might be an issue for some that either do not have Java installed
> or doesn't like Java at all... :-)

I know.

But ...

Arne

[Arne Vajhøj]

On 8/19/2017 12:57 PM, Simon Clubley wrote:
> On 2017-08-19, Jan-Erik Soderholm <jan-erik....@telia.com> wrote:
>> Den 2017-08-19 kl. 02:27, skrev Arne Vajhøj:
>>> Would it make sense for me to bundle it up and make it available?
>>
>> Well, why not? Maybe for simple tasks, but I guess the Java requirement
>> might be an issue for some that either do not have Java installed
>> or doesn't like Java at all... :-)
>
> You would also have to make sure that any security vulnerabilities
> present in an older version of Java were not made available through
> the web server in some way.
>
> IOW, you would probably need to make sure that the underlying Java
> version on VMS was kept up to date with the normal Java version in
> order to try and protect against this.

Hmmm.

Over the last decade there have been a lot of Java security
vulnerabilities. I have not counted, but I would guess at
something in the magnitude of 2000-3000.

That is a lot.

But almost all of them relate to Java applet sandboxing.

Which has no relevance for a server application.

Arne

[Arne Vajhøj]

On 8/19/2017 3:11 AM, Hans Vlems wrote:
> Arne, how do I get a kit?

I can email you link.

It may take a few days to package.

If interest I will make it public as open source.

Arne

[Simon Clubley]

Is the server application calling any Java APIs with vulnerable code
buried within the API ?

[Arne Vajhøj]

On 8/19/2017 9:22 PM, Simon Clubley wrote:
> On 2017-08-19, Arne Vajhøj <ar...@vajhoej.dk> wrote:
>> On 8/19/2017 12:57 PM, Simon Clubley wrote:
>>>
>>> You would also have to make sure that any security vulnerabilities
>>> present in an older version of Java were not made available through
>>> the web server in some way.
>>>
>>> IOW, you would probably need to make sure that the underlying Java
>>> version on VMS was kept up to date with the normal Java version in
>>> order to try and protect against this.
>>
>> Hmmm.
>>
>> Over the last decade there have been a lot of Java security
>> vulnerabilities. I have not counted, but I would guess at
>> something in the magnitude of 2000-3000.
>>
>> That is a lot.
>>
>> But almost all of them relate to Java applet sandboxing.
>>
>> Which has no relevance for a server application.
>
> Is the server application calling any Java APIs with vulnerable code
> buried within the API ?

It is calling thousands of methods in the Java runtime.

But I must admit that I have some difficulty understanding
what type of vulnerability you are thinking about.

Are you worried that the code handling file open for read
with some bad characters in the filename instead will delete
the file?

Arne

[Simon Clubley]

That's the kind of thing I am thinking of, although it would be
unlikely to delete the file unless you were able to inject a rm
shell command (for example).

The basic idea is that malformed input (or a malformed access sequence)
is passed from the outside world directly into a Java method and the
Java method doesn't handle it correctly.

Although I agree that it's much more likely in an applet environment,
problems with malformed input exist in all environments, including
in VMS - and sometimes exist in surprising areas.

[Arne Vajhøj]

On 8/20/2017 3:55 AM, Simon Clubley wrote:
> On 2017-08-19, Arne Vajhøj <ar...@vajhoej.dk> wrote:
>> It is calling thousands of methods in the Java runtime.
>>
>> But I must admit that I have some difficulty understanding
>> what type of vulnerability you are thinking about.
>>
>> Are you worried that the code handling file open for read
>> with some bad characters in the filename instead will delete
>> the file?
>>
>
> That's the kind of thing I am thinking of, although it would be
> unlikely to delete the file unless you were able to inject a rm
> shell command (for example).
>
> The basic idea is that malformed input (or a malformed access sequence)
> is passed from the outside world directly into a Java method and the
> Java method doesn't handle it correctly.
>
> Although I agree that it's much more likely in an applet environment,
> problems with malformed input exist in all environments, including
> in VMS - and sometimes exist in surprising areas.

Any examples of such in real life?

Arne

[Simon Clubley]

The last comment was because when I wrote that I had recently
discovered that you could take down DCL by feeding malformed
input containing nulls directly into the recall buffer and then
issuing recall/all to force DCL to walk the recall buffer.

I've also previously discovered that you can get DECnet IV on VMS to
trust routing information that mentions the current node even though
the packet came from an external source on the network.

[Arne Vajhøj]

On 9/10/2017 7:45 PM, Simon Clubley wrote:
> On 2017-09-10, Arne Vajhøj <ar...@vajhoej.dk> wrote:
>> On 8/20/2017 3:55 AM, Simon Clubley wrote:
>>> Although I agree that it's much more likely in an applet environment,
>>> problems with malformed input exist in all environments, including
>>> in VMS - and sometimes exist in surprising areas.
>>
>> Any examples of such in real life?
>
> The last comment was because when I wrote that I had recently
> discovered that you could take down DCL by feeding malformed
> input containing nulls directly into the recall buffer and then
> issuing recall/all to force DCL to walk the recall buffer.
>
> I've also previously discovered that you can get DECnet IV on VMS to
> trust routing information that mentions the current node even though
> the packet came from an external source on the network.

Yes.

But those seem rather far distance from the problem you raised
here.

I am not saying that it is impossible. It is certainly possible.

But real world security is also a practical discipline. One
need to focus on the what is most important.

There are lots of risks involved in running a web server. The RTL
of the language it is written in is something I would expect
to be a very small risk.

Arne

[Arne Vajhøj]

Not much interest.

But what the heck.

Zips:

http://www.vajhoej.dk/arne/opensource/vms/

Docs:

http://www.vajhoej.dk/arne/opensource/vms/doc/

Just serve files via HTTP => just take VMSWEB.

Everything => take VMSSCRIPT + VMSCALL + VMSWEB on that order

Arne

[Neil Rieck]

It depends what you want to use this tool for. If it is just for learning then I think the bulk of the computer community has gone in a different direction. I recently attended a refresher course at udemy.com titled "Web Developer Bootcamp" where the instructor demonstrated everything on the student's own PC using:

Node.js ( https://nodejs.org/en/ )
postman ( https://www.getpostman.com/ )
sublime text ( https://www.sublimetext.com/ )
console ( built into every browser )

...to only reference four thingies of many. The whole point of this was to learn web technology without setting up server software (Apache, IIS, etc) which is deferred to the very last step if/when you put your project into production.

I wished I would have had some of these when I first learned HTTP because it is really easy to use POSTMAN to fire an HTTP GET or POST packet at a running instance of Node.js where you can immediately observe the running transaction log.

(comment: I wonder how many computer students are chased away in horror after watching someone do a web-server config)

Neil Rieck
Waterloo, Ontario, Canada.
http://neilrieck.net

[Bill Gunshannon]

None of mine!!

bill

[Arne Vajhøj]

On 10/10/2017 7:38 AM, Neil Rieck wrote:
> It depends what you want to use this tool for. If it is just for
> learning then I think the bulk of the computer community has gone in a
> different direction. I recently attended a refresher course at udemy.com
> titled "Web Developer Bootcamp" where the instructor demonstrated
> everything on the student's own PC using:
>
> Node.js ( https://nodejs.org/en/ )
> postman ( https://www.getpostman.com/ )
> sublime text ( https://www.sublimetext.com/ )
> console ( built into every browser )
>
> ...to only reference four thingies of many. The whole point of this
> was to learn web technology without setting up server software (Apache,
> IIS, etc) which is deferred to the very last step if/when you put your
> project into production.

> (comment: I wonder how many computer students are chased away in
> horror after watching someone do a web-server config)

Configuring a full featured web server can be complex. So many
things to consider.

And the slick GUI installers can do more harm than good, because
if it end up being "99% right" then the poor guy does not have a
chance of getting it 100% right.

[with IIS you are stuck with GUI I think, but ...]

It is not just developers, but also system managers (system
administrators outside VMS world) that may need to serve
some files and really don't want to / need to understand
every Apache directive.

Arne