I'm afraid I stand by my answers bar one: re the recent security scare: quote from the php.net "It is known that Apache (any version) and iPlanet servers are vulnerable to this issue, however Microsoft IIS is not." This person states he is using IIS.
re PHP being "as secure as the pages you program" - not really a server security issue is it? If he wants to put a link saying "read all my passwords" then that's his business. re the POST vulnerability, I'll retract my comment on that -----Original Message----- From: Bryan Henry [mailto:[EMAIL PROTECTED]] Sent: 02 April 2002 18:25 To: [EMAIL PROTECTED] Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000 Server >>All PHP does, is create a dynamic webpage, ie create a web page >>"on-the-fly". This does not expose any holes any more than creating an html >>page does. not true - PHP is as secure as the pages you program. lack of user input verification is a good example. >>There was recently a scare at php.net where a security loophole >>was found, but it didn't concern windows users I believe. not true - it affected any server running PHP v3.0.10-v3.0.18, v4.0.1-v4.1.1 with at least one .php file on it. Everyone was encouraged to upgrade to 4.1.2 >>Because the PHP development is a very much open-source project, >>any holes are spotted and repaired much faster than, say, a >>hole was discovered in IIS. Again, the bug was spotted years ago, supposedly by some hacker community. It was just not reported and fixed until the 4.1.2 release. ->the POST vulnerability is covered here. ->http://security.e-matters.de/advisories/012002.html ->using the php binary to read and execute files on windows. ->http://www.php.net/release_4_1_2_win32.php ->[ this was not a problem for IIS you will be running ] ~ b r y a n -----Original Message----- From: Ross Fleming [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 10:51 AM To: Eric Gentry; [EMAIL PROTECTED] Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000 Server So far as I'm aware, you're correct, secure IIS and php is secure as well. I once saw a report in a security website or magazine (i think the latter) complaining that PHP was insecure in so much that variables were posted with the header details and could therefore be intercepted. This in itself is not so much a problem of PHP, and can be worked around by using sessions I believe. All PHP does, is create a dynamic webpage, ie create a web page "on-the-fly". This does not expose any holes any more than creating an html page does. There was recently a scare at php.net where a security loophole was found, but it didn't concern windows users I believe. Because the PHP development is a very much open-source project, any holes are spotted and repaired much faster than, say, a hole was discovered in IIS. Can anyone else confirm this with me? Ross -----Original Message----- From: Eric Gentry [mailto:[EMAIL PROTECTED]] Sent: 02 April 2002 16:28 To: [EMAIL PROTECTED] Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000 Server Bruce, Thanks for all of you input, it is much appreciated it. I do know about securing IIS, but I was concerned about security when adding PHP into the mix. >From the answers I received, I am assuming that the security is in the OS/Server software, and that there aren't any inherent security measure to be taken with PHP? In short, if the OS/web server is fairly secure, PHP does not break that, correct? That is my main concern. Thanks, Eric -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
