php-windows Digest 2 Apr 2002 17:45:06 -0000 Issue 1074
Topics (messages 12884 through 12898):
Removing PHP
12884 by: Faisal Ashraf
12887 by: Faisal Ashraf
Re: [PHP-INST] XSLTransformation via Sablotron
12885 by: Steve at Puddletown
PHP and Apache 1.3
12886 by: Glider
12888 by: darius.burlega.electrolux.lt
Re: mail();
12889 by: Piotr Pluciennik
R: [PHP-WIN] mail();
12890 by: Alberto. Sartori
Re: Configuring securely in IIS5 under Windows 2000 Server
12891 by: Eric Gentry
12894 by: Ross Fleming
12896 by: Bryan Henry
12897 by: Bryan Henry
12898 by: Ross Fleming
Connecting to a database w/PHP and mysql
12892 by: Anthony Ritter
Re: Security using Apache & Windows
12893 by: Tim Mackenzie
12895 by: Ross Fleming
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
Hi People,
I am kinda new here but I hope this place is good for getting help
regarding php. my problem is that my system was running perfect I had
installed php on winxp was working fine then I upgrade it to the new
version and it got messed up my phpnuke web giving me problems not
working.
I wanna know how to completely remove php so I can reinstall it again I
hope I'll get the reply soon thank you and one more thing is there any
installer available which installs full package of php on windowz like
ActivePerl.
Thank you
Regards,
Faisal
--- End Message ---
--- Begin Message ---
Thank for your reply Aleem,
Well it didn't worked I am still getting the same error.
I am getting this error I have removed all files then reinstalled the
setup.
Fatal error: Failed opening required 'mainfile.php'
(include_path='c:\php4\pear') in
This folder was previously exits but now I have removed all files then
reinstalled it again
I am running my site on IIS 5.
Please help me out
Faisal
-----Original Message-----
From: Aleem [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 2:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Removing PHP
Faisal, what kind of problems ?
I just resolved a whole bunch of problems I have having after I upgraded
to 4.1.2
here's a quick check list:
add these to your apache file (or check the docs on the php site for
other servers): # CGI INSTALL
ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php
Action application/x-httpd-php "/php/php.exe"
and these lines in php.ini under c:\<windows folder>\php.ini
register_globals = On
include_path = ".;c:\php\pear"
doc_root =
if these don't help, you can simply remove the php directory and remove
the php.ini file from your windows folder. Also delete php4ts.dll from
the SYSTEM or SYSTEM32 folder. If you copied some other DLLs in your
SYSTEM/SYSTEM32 folder don't worry about those... just copy the dlls
from your new php\dlls install into the SYSTEM/SYSTEM32 folder.
- aleem
> -----Original Message-----
> From: Faisal Ashraf [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 01, 2002 10:15 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP-WIN] Removing PHP
>
>
> Hi People,
>
> I am kinda new here but I hope this place is good for getting
> help regarding php. my problem is that my system was running
> perfect I had installed php on winxp was working fine then I
> upgrade it to the new version and it got messed up my phpnuke
> web giving me problems not working.
>
> I wanna know how to completely remove php so I can reinstall
> it again I hope I'll get the reply soon thank you and one
> more thing is there any installer available which installs
> full package of php on windowz like ActivePerl.
>
> Thank you
>
> Regards,
>
> Faisal
>
--- End Message ---
--- Begin Message ---
-----Original Message-----
From: Jan Walter [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 9:20 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [PHP-INST] XSLTransformation via Sablotron
Hello,
I've used this sample code as well as the installation described at
http://shanx.com/php/xsl/getXsl.htm (using W2K, Apache 1.3.20, PHP
4.1.2.).
<?php
// Create an XSLT processor
$xsltHandle = xslt_create();
// Perform the transformation
$out = xslt_process($xsltHandle, getcwd().'test.xml',
getcwd().'test.xsl');
// Detect errors
if(!$out) die(xslt_error($xsltHandle));
// Destroy the XSLT processor
xslt_free($xsltHandle);
?>
The result is that Sablotron itself (command line) works fine but this
code produces
following error "XML parser error 4: not well-formed (invalid token)".
I would appreciate any hint. Thanx alot.
--
=================================
[NAME] jan walter [ALIAS] john
[COMPANY] lerach s.r.o.
[GSM] (+420)(777)31 99 31
[SMS] john.sms(at)mujoskar.cz
[EMAIL] john(at)lerach.cz
[ICQ] 28353428
=================================
--
PHP Install Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
I'm new to this, I have Apache 1.3.23 installed on my XP box, working OK. I
can,t seem to get PHP working with Apache 1.3.23. I've followed several
instructions now and failed each time.
The php extentions on my server just request I download or open in notepad?
I have copied the php.ini file to my windows folder and modified to indicate
the location of extentions.
copied the php4ts.ddl to my system32 directory
Do I need to do something with apache?
Any clues appreciated
--- End Message ---
--- Begin Message ---
Hello,
Have you included several lines in your Apache configuration file (
httpd.conf ) ?
ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php
Action application/x-httpd-php "/php/php.exe"
First try to di it.
BR
Darius
To: [EMAIL PROTECTED]
cc:
Subject: [PHP-WIN] PHP and Apache 1.3
I'm new to this, I have Apache 1.3.23 installed on my XP box, working OK. I
can,t seem to get PHP working with Apache 1.3.23. I've followed several
instructions now and failed each time.
The php extentions on my server just request I download or open in notepad?
I have copied the php.ini file to my windows folder and modified to
indicate
the location of extentions.
copied the php4ts.ddl to my system32 directory
Do I need to do something with apache?
Any clues appreciated
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Hmmm...
"can't send" it's not enough words to precisely
explain problem... but check first the configuration
in your php.ini in section:
[mail function]
SMTP = your smtp server
sendmail_from = [EMAIL PROTECTED]
and fill it correctly.
mail is working on (not only) W2k for sure :-)
HTH
Piotr
--- martinahingis <[EMAIL PROTECTED]> wrote:
> I can't send mails using mail() on w2k
>
> I know that there's no support to mail() but is
> there a way to make it
> support
>
> --
>
> martina.
>
>
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://http://taxes.yahoo.com/
--- End Message ---
--- Begin Message ---
You got a "Server error" ?
-----Messaggio originale-----
Da: Piotr Pluciennik [mailto:[EMAIL PROTECTED]]
Inviato: marted́ 2 aprile 2002 17.02
A: [EMAIL PROTECTED]
Oggetto: Re: [PHP-WIN] mail();
Hmmm...
"can't send" it's not enough words to precisely
explain problem... but check first the configuration
in your php.ini in section:
[mail function]
SMTP = your smtp server
sendmail_from = [EMAIL PROTECTED]
and fill it correctly.
mail is working on (not only) W2k for sure :-)
HTH
Piotr
--- martinahingis <[EMAIL PROTECTED]> wrote:
> I can't send mails using mail() on w2k
>
> I know that there's no support to mail() but is
> there a way to make it
> support
>
> --
>
> martina.
>
>
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://http://taxes.yahoo.com/
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Bruce,
Thanks for all of you input, it is much appreciated it.
I do know about securing IIS, but I was concerned about security when
adding PHP into the mix.
>From the answers I received, I am assuming that the security is in the
OS/Server software, and that there aren't any inherent security measure
to be taken with PHP? In short, if the OS/web server is fairly secure,
PHP does not break that, correct? That is my main concern.
Thanks,
Eric
-----Original Message-----
From: Bruce Barnes [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 8:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
Eric et al;
START BY MAKING A FULL AND COMPLETE BACKUP OF YOUR MACHINE! IF you make
an error with USERS, GROUPS and PERMISSIONS, you might lock yourself
completely out of the machine and not be able to regain access to your
drives and directories without a complete reinstall of the Windows 2000
Operating System.
The first thing that anyone who is running Windows 2000 should do is to
format the logical drives using NTFS - this allows for MUCH greater file
security than other file systems.
The next thing to do is to DELETE the permissions for the GROUP
"EVERYONE" from all of your logical drives. To DELETE the permissions
for the GROUP "EVERYONE" from the directory that is going to contain the
actual files for the web site. If we assume that the name of the site
is "WWW.PHPHEADACHES.COM and the directory in which the files are
located is "PHPHEADACHES", then we would highlight the directory
"PHPHEADACHES", right click on the directory, goto the SECURITY TAB and
/UNCHECK the box that is at the bottom of the SECURITY WINDOW that
states: "Allow Inheritable Permissions from Parent to Propagate to this
Object."
At that point you should receive an option window that will allow you
to:
COPY
REMOVE or
CANCEL
You want to select COPY. This will COPY all of the users and groups
permissions to the local directory
Next, HIGHLIGHT the GROUP named "EVERYONE" and press the DELETE key.
The "EVERYONE" GROUP has now been deleted from the directory and has no
permissions and you have now locked out anyone except the users and
groups to which you specifically give permissions.
For the purposes of PHP, the "everyone" user, as referenced in the
installation instructions, can be replaced with the GROUP of "USERS" (no
quotes) from the LOCAL MACHINE on which IIS and PHP are installed, and
that use can be given the "write" permissions where the "EVERYONE" user
used to be required to have them.
If you are running on a network with a DOMAIN SERVER, do NOT use the
group "your_network_domain_name\DOMAIN USERS" as they will not have any
permissions on the local machine unless the "DOMAIN USERS" group has
been specifically added to the "local_machine_name\USERS" group.
Next, REMOVE the "USERS" group from each of your IIS web site
directories. The only users who should have permissions in those sites
are:
1. "IUSER_local_machine_name" where "local_machine_name" is the actual
name of the local machine WITHOUT the name of the domain appended to it.
ie: if the fully qualified domain name is "foo.bar.com", then the
"local_machine_name" will be "foo" and the username added to the
directory will be "IUSER_foo" with permissions set to READ & EXECUTE,
LIST and READ - there should be NO other permissions set for this user.
2. The username of the person who is responsible for sending the files
to the site via FTP. Remember, that user must be a user on the LOCAL
machine - in this case the "FOO" machine. If the name of the web site
directory for the hosted site is "PHPHEADACHES" and the site is named
"www.phpheadaches.com", on the machine named "FOO" and the username of
the person responsible for maintaining the web site www.phpheadaches.com
named "KONG" and "KONG" is using FTP to send the files up to the site
hosted on "FOO", then "KONG", a user on the "FOO" machine will have
permissions to the directory "PHPHEADACHES" with the permissions of
MODIFY, READ & EXECUTE, LIST, READ, and WRITE.
The user "KONG" should NOT have the FULL CONTROLL permissions as this
will allow him to "take ownership" of the various files and system files
that might be created in the directory. If you do not want "KONG" to be
able to execute scripts or other files in the "PHPHEADACHES" directory,
then you should UNCHECK the READ & EXECUTE setting for the user "KONG"
as well.
As the "ADMINISTRATOR" of the machine on which the web site is hosted,
you will want the local machine administrator account, in this case
"FOO\ADMINISTRATOR" to have FULL CONTROL of the web site directory
"PHPHEADACHES". If the web site machine "FOO" is part of a domain and
your administrative account get's it's administrative permissions from a
domain controller, you will also want to add the ADMINISTRATOR(S)"
account for the domain to the directory "PHPHEADACHES" and give that
account FULL CONTROLL as well. In this case, the addition of the domain
administrator(s) account would look like this
"BAR.COM\ADMINISTRATOR(S)". The "BAR.COM\ADMINISTRATOR(S)" account
should have FULL CONTROLL in the directory PHPHEADACHES.
If you have users on the domain bar.com who are responsible for
maintaining the web site and they are not part of the administrators
group of "BAR.COM\ADMINISTRATORS" and you want them to have access in
the directory "PHPHEADACHES", then you need to also add those users to
the directory "PHPHEADACHES" with the appropriate level of permissions.
Next you should have the "SYSTEM" account for the "LOCAL MACHINE", in
this case "FOO", added to the directory with FULL access to the
directory.
When you APPLY the permissions, you should make sure you check the box
that applies the users and permissions to the SUB-DIRECTORIES as well.
If the web site is running Front Page Server Extensions, then it will
also contain three additional groups. Those groups will be specific to
the web site name. In the case of www.phpheadaches.com the groups will
be:
"www.phpheadaches.com Admins"
"www.phpheadaches.com Authors"
"www.phpheadaches.com Browsers"
You will need to add the appropriate users from the LOCAL MACHINE or
from the DOMAIN to each of these GROUPS on the LOCAL MACHINE.
To complete the installation, follow the instructions supplied with PHP
for Windows 2000 Server and you should have no problems. If you have
any problems, just remember to run PHPINFO() from within a script and
check the results against what you think they should be.
If you are setting up a new server, you should remove the EVERYONE group
from all logical drives IMMEDIATELY - before allowing any user other
than the ADMINISTRATOR to have access to the system for the first time.
If you have already installed software on the system and have users with
established rights to specific directories and files, this may cause
some problems for you and you will have to create new groups with
permissions to access those specific directories.
Remember, SECURITY is the MOST IMPORTANT item in the installation of any
Windows 2000 Server and IIS installation. KEEP IT ON THE BASIS OF ONLY
THOSE USERS AND GROUPS WHO NEED ACCESS HAVE ACCESS - NO ONE ELSE!
Making certain that only those users and groups who absolutely must have
permissions to any given directory on the machine, and that they have
the APPROPRIATE permissions in those directories where they have been
granted access, will save you from countless headaches, attempted server
break-ins and lots of lost revenue from downtime.
For more information on Windows 2000 Security, do a search at the
Microsoft Technet location of
"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itso
luti
ons/howto/admhow.asp" (You may be asked to establish an account on the
site, a rather lengthy process, but well worth the work for anyone who
works with Windows 2000 or any other Windows product.) Microsoft
Technet provides lots of good information and lots of other server geeks
who can assist you in locating the information if you can't find it on
your own.
Bruce Barnes ======================================================
Now Providing High-Speed Internet Access from DSL.NET!
from xDSL to a full T-1 - need some? Call or visit
our web site at http://www.ChicagoNetTech.com/dsl.html
======================================================
ChicagoNetTech
3401 W Beach Ave
Chicago IL 60651-2332
mailto:[EMAIL PROTECTED]
http://www.ChicagoNetTech.com
773.365.0105 Office
773.365.0108 Fax
773.491.9019 Cell ======================================================
Secure & Encrypted Remote Data Backup
Server Co-Location Services
Computer Network Design, Installation & Maintenance
Telecomm Network Design, Installation & Maintenance
Web Site Design & Hosting
======================================================
It ALWAYS costs less to do it right the FIRST time!
======================================================
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 09:15
To: [EMAIL PROTECTED]
Subject: [PHP-WIN] Configuring securely in IIS5
I have been able to install php and get it running on our test server
running IIS5. Everything is going fine, but now I am beginning to ponder
the question, how do I secure this when it goes live?
I have read through the installation documentation, and read the
security chapter of the php manual that I downloaded from the php.net
website.
Various queries to Google have been unproductive, so I thought I may
check here.
Now, I am not talking about script internals security (that will be
handled more by our development team), just mainly how to configure php
on the server so that I don't have people tearing the darn thing down
when this site goes live. We are using the ISAPI module.
I have seen numerous tidbits on Apache, but we are going to be using
IIS.
Can anyone point me to a book, FAQ, examples, anything to set me on the
way?
Thanks a ton
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
So far as I'm aware, you're correct, secure IIS and php is secure as well.
I once saw a report in a security website or magazine (i think the latter)
complaining that PHP was insecure in so much that variables were posted with
the header details and could therefore be intercepted. This in itself is
not so much a problem of PHP, and can be worked around by using sessions I
believe. All PHP does, is create a dynamic webpage, ie create a web page
"on-the-fly". This does not expose any holes any more than creating an html
page does. There was recently a scare at php.net where a security loophole
was found, but it didn't concern windows users I believe. Because the PHP
development is a very much open-source project, any holes are spotted and
repaired much faster than, say, a hole was discovered in IIS.
Can anyone else confirm this with me?
Ross
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: 02 April 2002 16:28
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
Bruce,
Thanks for all of you input, it is much appreciated it.
I do know about securing IIS, but I was concerned about security when
adding PHP into the mix.
>From the answers I received, I am assuming that the security is in the
OS/Server software, and that there aren't any inherent security measure
to be taken with PHP? In short, if the OS/web server is fairly secure,
PHP does not break that, correct? That is my main concern.
Thanks,
Eric
-----Original Message-----
From: Bruce Barnes [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 8:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
Eric et al;
START BY MAKING A FULL AND COMPLETE BACKUP OF YOUR MACHINE! IF you make
an error with USERS, GROUPS and PERMISSIONS, you might lock yourself
completely out of the machine and not be able to regain access to your
drives and directories without a complete reinstall of the Windows 2000
Operating System.
The first thing that anyone who is running Windows 2000 should do is to
format the logical drives using NTFS - this allows for MUCH greater file
security than other file systems.
The next thing to do is to DELETE the permissions for the GROUP
"EVERYONE" from all of your logical drives. To DELETE the permissions
for the GROUP "EVERYONE" from the directory that is going to contain the
actual files for the web site. If we assume that the name of the site
is "WWW.PHPHEADACHES.COM and the directory in which the files are
located is "PHPHEADACHES", then we would highlight the directory
"PHPHEADACHES", right click on the directory, goto the SECURITY TAB and
/UNCHECK the box that is at the bottom of the SECURITY WINDOW that
states: "Allow Inheritable Permissions from Parent to Propagate to this
Object."
At that point you should receive an option window that will allow you
to:
COPY
REMOVE or
CANCEL
You want to select COPY. This will COPY all of the users and groups
permissions to the local directory
Next, HIGHLIGHT the GROUP named "EVERYONE" and press the DELETE key.
The "EVERYONE" GROUP has now been deleted from the directory and has no
permissions and you have now locked out anyone except the users and
groups to which you specifically give permissions.
For the purposes of PHP, the "everyone" user, as referenced in the
installation instructions, can be replaced with the GROUP of "USERS" (no
quotes) from the LOCAL MACHINE on which IIS and PHP are installed, and
that use can be given the "write" permissions where the "EVERYONE" user
used to be required to have them.
If you are running on a network with a DOMAIN SERVER, do NOT use the
group "your_network_domain_name\DOMAIN USERS" as they will not have any
permissions on the local machine unless the "DOMAIN USERS" group has
been specifically added to the "local_machine_name\USERS" group.
Next, REMOVE the "USERS" group from each of your IIS web site
directories. The only users who should have permissions in those sites
are:
1. "IUSER_local_machine_name" where "local_machine_name" is the actual
name of the local machine WITHOUT the name of the domain appended to it.
ie: if the fully qualified domain name is "foo.bar.com", then the
"local_machine_name" will be "foo" and the username added to the
directory will be "IUSER_foo" with permissions set to READ & EXECUTE,
LIST and READ - there should be NO other permissions set for this user.
2. The username of the person who is responsible for sending the files
to the site via FTP. Remember, that user must be a user on the LOCAL
machine - in this case the "FOO" machine. If the name of the web site
directory for the hosted site is "PHPHEADACHES" and the site is named
"www.phpheadaches.com", on the machine named "FOO" and the username of
the person responsible for maintaining the web site www.phpheadaches.com
named "KONG" and "KONG" is using FTP to send the files up to the site
hosted on "FOO", then "KONG", a user on the "FOO" machine will have
permissions to the directory "PHPHEADACHES" with the permissions of
MODIFY, READ & EXECUTE, LIST, READ, and WRITE.
The user "KONG" should NOT have the FULL CONTROLL permissions as this
will allow him to "take ownership" of the various files and system files
that might be created in the directory. If you do not want "KONG" to be
able to execute scripts or other files in the "PHPHEADACHES" directory,
then you should UNCHECK the READ & EXECUTE setting for the user "KONG"
as well.
As the "ADMINISTRATOR" of the machine on which the web site is hosted,
you will want the local machine administrator account, in this case
"FOO\ADMINISTRATOR" to have FULL CONTROL of the web site directory
"PHPHEADACHES". If the web site machine "FOO" is part of a domain and
your administrative account get's it's administrative permissions from a
domain controller, you will also want to add the ADMINISTRATOR(S)"
account for the domain to the directory "PHPHEADACHES" and give that
account FULL CONTROLL as well. In this case, the addition of the domain
administrator(s) account would look like this
"BAR.COM\ADMINISTRATOR(S)". The "BAR.COM\ADMINISTRATOR(S)" account
should have FULL CONTROLL in the directory PHPHEADACHES.
If you have users on the domain bar.com who are responsible for
maintaining the web site and they are not part of the administrators
group of "BAR.COM\ADMINISTRATORS" and you want them to have access in
the directory "PHPHEADACHES", then you need to also add those users to
the directory "PHPHEADACHES" with the appropriate level of permissions.
Next you should have the "SYSTEM" account for the "LOCAL MACHINE", in
this case "FOO", added to the directory with FULL access to the
directory.
When you APPLY the permissions, you should make sure you check the box
that applies the users and permissions to the SUB-DIRECTORIES as well.
If the web site is running Front Page Server Extensions, then it will
also contain three additional groups. Those groups will be specific to
the web site name. In the case of www.phpheadaches.com the groups will
be:
"www.phpheadaches.com Admins"
"www.phpheadaches.com Authors"
"www.phpheadaches.com Browsers"
You will need to add the appropriate users from the LOCAL MACHINE or
from the DOMAIN to each of these GROUPS on the LOCAL MACHINE.
To complete the installation, follow the instructions supplied with PHP
for Windows 2000 Server and you should have no problems. If you have
any problems, just remember to run PHPINFO() from within a script and
check the results against what you think they should be.
If you are setting up a new server, you should remove the EVERYONE group
from all logical drives IMMEDIATELY - before allowing any user other
than the ADMINISTRATOR to have access to the system for the first time.
If you have already installed software on the system and have users with
established rights to specific directories and files, this may cause
some problems for you and you will have to create new groups with
permissions to access those specific directories.
Remember, SECURITY is the MOST IMPORTANT item in the installation of any
Windows 2000 Server and IIS installation. KEEP IT ON THE BASIS OF ONLY
THOSE USERS AND GROUPS WHO NEED ACCESS HAVE ACCESS - NO ONE ELSE!
Making certain that only those users and groups who absolutely must have
permissions to any given directory on the machine, and that they have
the APPROPRIATE permissions in those directories where they have been
granted access, will save you from countless headaches, attempted server
break-ins and lots of lost revenue from downtime.
For more information on Windows 2000 Security, do a search at the
Microsoft Technet location of
"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itso
luti
ons/howto/admhow.asp" (You may be asked to establish an account on the
site, a rather lengthy process, but well worth the work for anyone who
works with Windows 2000 or any other Windows product.) Microsoft
Technet provides lots of good information and lots of other server geeks
who can assist you in locating the information if you can't find it on
your own.
Bruce Barnes ======================================================
Now Providing High-Speed Internet Access from DSL.NET!
from xDSL to a full T-1 - need some? Call or visit
our web site at http://www.ChicagoNetTech.com/dsl.html
======================================================
ChicagoNetTech
3401 W Beach Ave
Chicago IL 60651-2332
mailto:[EMAIL PROTECTED]
http://www.ChicagoNetTech.com
773.365.0105 Office
773.365.0108 Fax
773.491.9019 Cell ======================================================
Secure & Encrypted Remote Data Backup
Server Co-Location Services
Computer Network Design, Installation & Maintenance
Telecomm Network Design, Installation & Maintenance
Web Site Design & Hosting
======================================================
It ALWAYS costs less to do it right the FIRST time!
======================================================
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 09:15
To: [EMAIL PROTECTED]
Subject: [PHP-WIN] Configuring securely in IIS5
I have been able to install php and get it running on our test server
running IIS5. Everything is going fine, but now I am beginning to ponder
the question, how do I secure this when it goes live?
I have read through the installation documentation, and read the
security chapter of the php manual that I downloaded from the php.net
website.
Various queries to Google have been unproductive, so I thought I may
check here.
Now, I am not talking about script internals security (that will be
handled more by our development team), just mainly how to configure php
on the server so that I don't have people tearing the darn thing down
when this site goes live. We are using the ISAPI module.
I have seen numerous tidbits on Apache, but we are going to be using
IIS.
Can anyone point me to a book, FAQ, examples, anything to set me on the
way?
Thanks a ton
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
>>All PHP does, is create a dynamic webpage, ie create a web page
>>"on-the-fly". This does not expose any holes any more than creating an
html
>>page does.
not true - PHP is as secure as the pages you program.
lack of user input verification is a good example.
>>There was recently a scare at php.net where a security loophole
>>was found, but it didn't concern windows users I believe.
not true - it affected any server running PHP v3.0.10-v3.0.18, v4.0.1-v4.1.1
with at least one .php file on it. Everyone was encouraged to upgrade to
4.1.2
>>Because the PHP development is a very much open-source project,
>>any holes are spotted and repaired much faster than, say, a
>>hole was discovered in IIS.
Again, the bug was spotted years ago, supposedly by some hacker community.
It was just not reported and fixed until the 4.1.2 release.
->the POST vulnerability is covered here.
->http://security.e-matters.de/advisories/012002.html
->using the php binary to read and execute files on windows.
->http://www.php.net/release_4_1_2_win32.php
->[ this was not a problem for IIS you will be running ]
~ b r y a n
-----Original Message-----
From: Ross Fleming [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 10:51 AM
To: Eric Gentry; [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
So far as I'm aware, you're correct, secure IIS and php is secure as well.
I once saw a report in a security website or magazine (i think the latter)
complaining that PHP was insecure in so much that variables were posted with
the header details and could therefore be intercepted. This in itself is
not so much a problem of PHP, and can be worked around by using sessions I
believe. All PHP does, is create a dynamic webpage, ie create a web page
"on-the-fly". This does not expose any holes any more than creating an html
page does. There was recently a scare at php.net where a security loophole
was found, but it didn't concern windows users I believe. Because the PHP
development is a very much open-source project, any holes are spotted and
repaired much faster than, say, a hole was discovered in IIS.
Can anyone else confirm this with me?
Ross
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: 02 April 2002 16:28
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
Bruce,
Thanks for all of you input, it is much appreciated it.
I do know about securing IIS, but I was concerned about security when
adding PHP into the mix.
>From the answers I received, I am assuming that the security is in the
OS/Server software, and that there aren't any inherent security measure
to be taken with PHP? In short, if the OS/web server is fairly secure,
PHP does not break that, correct? That is my main concern.
Thanks,
Eric
-----Original Message-----
From: Bruce Barnes [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 8:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
Eric et al;
START BY MAKING A FULL AND COMPLETE BACKUP OF YOUR MACHINE! IF you make
an error with USERS, GROUPS and PERMISSIONS, you might lock yourself
completely out of the machine and not be able to regain access to your
drives and directories without a complete reinstall of the Windows 2000
Operating System.
The first thing that anyone who is running Windows 2000 should do is to
format the logical drives using NTFS - this allows for MUCH greater file
security than other file systems.
The next thing to do is to DELETE the permissions for the GROUP
"EVERYONE" from all of your logical drives. To DELETE the permissions
for the GROUP "EVERYONE" from the directory that is going to contain the
actual files for the web site. If we assume that the name of the site
is "WWW.PHPHEADACHES.COM and the directory in which the files are
located is "PHPHEADACHES", then we would highlight the directory
"PHPHEADACHES", right click on the directory, goto the SECURITY TAB and
/UNCHECK the box that is at the bottom of the SECURITY WINDOW that
states: "Allow Inheritable Permissions from Parent to Propagate to this
Object."
At that point you should receive an option window that will allow you
to:
COPY
REMOVE or
CANCEL
You want to select COPY. This will COPY all of the users and groups
permissions to the local directory
Next, HIGHLIGHT the GROUP named "EVERYONE" and press the DELETE key.
The "EVERYONE" GROUP has now been deleted from the directory and has no
permissions and you have now locked out anyone except the users and
groups to which you specifically give permissions.
For the purposes of PHP, the "everyone" user, as referenced in the
installation instructions, can be replaced with the GROUP of "USERS" (no
quotes) from the LOCAL MACHINE on which IIS and PHP are installed, and
that use can be given the "write" permissions where the "EVERYONE" user
used to be required to have them.
If you are running on a network with a DOMAIN SERVER, do NOT use the
group "your_network_domain_name\DOMAIN USERS" as they will not have any
permissions on the local machine unless the "DOMAIN USERS" group has
been specifically added to the "local_machine_name\USERS" group.
Next, REMOVE the "USERS" group from each of your IIS web site
directories. The only users who should have permissions in those sites
are:
1. "IUSER_local_machine_name" where "local_machine_name" is the actual
name of the local machine WITHOUT the name of the domain appended to it.
ie: if the fully qualified domain name is "foo.bar.com", then the
"local_machine_name" will be "foo" and the username added to the
directory will be "IUSER_foo" with permissions set to READ & EXECUTE,
LIST and READ - there should be NO other permissions set for this user.
2. The username of the person who is responsible for sending the files
to the site via FTP. Remember, that user must be a user on the LOCAL
machine - in this case the "FOO" machine. If the name of the web site
directory for the hosted site is "PHPHEADACHES" and the site is named
"www.phpheadaches.com", on the machine named "FOO" and the username of
the person responsible for maintaining the web site www.phpheadaches.com
named "KONG" and "KONG" is using FTP to send the files up to the site
hosted on "FOO", then "KONG", a user on the "FOO" machine will have
permissions to the directory "PHPHEADACHES" with the permissions of
MODIFY, READ & EXECUTE, LIST, READ, and WRITE.
The user "KONG" should NOT have the FULL CONTROLL permissions as this
will allow him to "take ownership" of the various files and system files
that might be created in the directory. If you do not want "KONG" to be
able to execute scripts or other files in the "PHPHEADACHES" directory,
then you should UNCHECK the READ & EXECUTE setting for the user "KONG"
as well.
As the "ADMINISTRATOR" of the machine on which the web site is hosted,
you will want the local machine administrator account, in this case
"FOO\ADMINISTRATOR" to have FULL CONTROL of the web site directory
"PHPHEADACHES". If the web site machine "FOO" is part of a domain and
your administrative account get's it's administrative permissions from a
domain controller, you will also want to add the ADMINISTRATOR(S)"
account for the domain to the directory "PHPHEADACHES" and give that
account FULL CONTROLL as well. In this case, the addition of the domain
administrator(s) account would look like this
"BAR.COM\ADMINISTRATOR(S)". The "BAR.COM\ADMINISTRATOR(S)" account
should have FULL CONTROLL in the directory PHPHEADACHES.
If you have users on the domain bar.com who are responsible for
maintaining the web site and they are not part of the administrators
group of "BAR.COM\ADMINISTRATORS" and you want them to have access in
the directory "PHPHEADACHES", then you need to also add those users to
the directory "PHPHEADACHES" with the appropriate level of permissions.
Next you should have the "SYSTEM" account for the "LOCAL MACHINE", in
this case "FOO", added to the directory with FULL access to the
directory.
When you APPLY the permissions, you should make sure you check the box
that applies the users and permissions to the SUB-DIRECTORIES as well.
If the web site is running Front Page Server Extensions, then it will
also contain three additional groups. Those groups will be specific to
the web site name. In the case of www.phpheadaches.com the groups will
be:
"www.phpheadaches.com Admins"
"www.phpheadaches.com Authors"
"www.phpheadaches.com Browsers"
You will need to add the appropriate users from the LOCAL MACHINE or
from the DOMAIN to each of these GROUPS on the LOCAL MACHINE.
To complete the installation, follow the instructions supplied with PHP
for Windows 2000 Server and you should have no problems. If you have
any problems, just remember to run PHPINFO() from within a script and
check the results against what you think they should be.
If you are setting up a new server, you should remove the EVERYONE group
from all logical drives IMMEDIATELY - before allowing any user other
than the ADMINISTRATOR to have access to the system for the first time.
If you have already installed software on the system and have users with
established rights to specific directories and files, this may cause
some problems for you and you will have to create new groups with
permissions to access those specific directories.
Remember, SECURITY is the MOST IMPORTANT item in the installation of any
Windows 2000 Server and IIS installation. KEEP IT ON THE BASIS OF ONLY
THOSE USERS AND GROUPS WHO NEED ACCESS HAVE ACCESS - NO ONE ELSE!
Making certain that only those users and groups who absolutely must have
permissions to any given directory on the machine, and that they have
the APPROPRIATE permissions in those directories where they have been
granted access, will save you from countless headaches, attempted server
break-ins and lots of lost revenue from downtime.
For more information on Windows 2000 Security, do a search at the
Microsoft Technet location of
"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itso
luti
ons/howto/admhow.asp" (You may be asked to establish an account on the
site, a rather lengthy process, but well worth the work for anyone who
works with Windows 2000 or any other Windows product.) Microsoft
Technet provides lots of good information and lots of other server geeks
who can assist you in locating the information if you can't find it on
your own.
Bruce Barnes ======================================================
Now Providing High-Speed Internet Access from DSL.NET!
from xDSL to a full T-1 - need some? Call or visit
our web site at http://www.ChicagoNetTech.com/dsl.html
======================================================
ChicagoNetTech
3401 W Beach Ave
Chicago IL 60651-2332
mailto:[EMAIL PROTECTED]
http://www.ChicagoNetTech.com
773.365.0105 Office
773.365.0108 Fax
773.491.9019 Cell ======================================================
Secure & Encrypted Remote Data Backup
Server Co-Location Services
Computer Network Design, Installation & Maintenance
Telecomm Network Design, Installation & Maintenance
Web Site Design & Hosting
======================================================
It ALWAYS costs less to do it right the FIRST time!
======================================================
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 09:15
To: [EMAIL PROTECTED]
Subject: [PHP-WIN] Configuring securely in IIS5
I have been able to install php and get it running on our test server
running IIS5. Everything is going fine, but now I am beginning to ponder
the question, how do I secure this when it goes live?
I have read through the installation documentation, and read the
security chapter of the php manual that I downloaded from the php.net
website.
Various queries to Google have been unproductive, so I thought I may
check here.
Now, I am not talking about script internals security (that will be
handled more by our development team), just mainly how to configure php
on the server so that I don't have people tearing the darn thing down
when this site goes live. We are using the ISAPI module.
I have seen numerous tidbits on Apache, but we are going to be using
IIS.
Can anyone point me to a book, FAQ, examples, anything to set me on the
way?
Thanks a ton
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
>>not true - it affected any server running
>>PHP v3.0.10-v3.0.18, v4.0.1-v4.1.1
>>with at least one .php file on it.
>>Everyone was encouraged to upgrade to
>>4.1.2
sorry - they made patches for earlier versions also,
so everyone was advised to patch or upgrade.
~ b r y a n
-----Original Message-----
From: Bryan Henry [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 11:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
>>All PHP does, is create a dynamic webpage, ie create a web page
>>"on-the-fly". This does not expose any holes any more than creating an
html
>>page does.
not true - PHP is as secure as the pages you program.
lack of user input verification is a good example.
>>There was recently a scare at php.net where a security loophole
>>was found, but it didn't concern windows users I believe.
not true - it affected any server running PHP v3.0.10-v3.0.18, v4.0.1-v4.1.1
with at least one .php file on it. Everyone was encouraged to upgrade to
4.1.2
>>Because the PHP development is a very much open-source project,
>>any holes are spotted and repaired much faster than, say, a
>>hole was discovered in IIS.
Again, the bug was spotted years ago, supposedly by some hacker community.
It was just not reported and fixed until the 4.1.2 release.
->the POST vulnerability is covered here.
->http://security.e-matters.de/advisories/012002.html
->using the php binary to read and execute files on windows.
->http://www.php.net/release_4_1_2_win32.php
->[ this was not a problem for IIS you will be running ]
~ b r y a n
-----Original Message-----
From: Ross Fleming [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 10:51 AM
To: Eric Gentry; [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
So far as I'm aware, you're correct, secure IIS and php is secure as well.
I once saw a report in a security website or magazine (i think the latter)
complaining that PHP was insecure in so much that variables were posted with
the header details and could therefore be intercepted. This in itself is
not so much a problem of PHP, and can be worked around by using sessions I
believe. All PHP does, is create a dynamic webpage, ie create a web page
"on-the-fly". This does not expose any holes any more than creating an html
page does. There was recently a scare at php.net where a security loophole
was found, but it didn't concern windows users I believe. Because the PHP
development is a very much open-source project, any holes are spotted and
repaired much faster than, say, a hole was discovered in IIS.
Can anyone else confirm this with me?
Ross
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: 02 April 2002 16:28
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
Bruce,
Thanks for all of you input, it is much appreciated it.
I do know about securing IIS, but I was concerned about security when
adding PHP into the mix.
>From the answers I received, I am assuming that the security is in the
OS/Server software, and that there aren't any inherent security measure
to be taken with PHP? In short, if the OS/web server is fairly secure,
PHP does not break that, correct? That is my main concern.
Thanks,
Eric
-----Original Message-----
From: Bruce Barnes [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 8:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
Eric et al;
START BY MAKING A FULL AND COMPLETE BACKUP OF YOUR MACHINE! IF you make
an error with USERS, GROUPS and PERMISSIONS, you might lock yourself
completely out of the machine and not be able to regain access to your
drives and directories without a complete reinstall of the Windows 2000
Operating System.
The first thing that anyone who is running Windows 2000 should do is to
format the logical drives using NTFS - this allows for MUCH greater file
security than other file systems.
The next thing to do is to DELETE the permissions for the GROUP
"EVERYONE" from all of your logical drives. To DELETE the permissions
for the GROUP "EVERYONE" from the directory that is going to contain the
actual files for the web site. If we assume that the name of the site
is "WWW.PHPHEADACHES.COM and the directory in which the files are
located is "PHPHEADACHES", then we would highlight the directory
"PHPHEADACHES", right click on the directory, goto the SECURITY TAB and
/UNCHECK the box that is at the bottom of the SECURITY WINDOW that
states: "Allow Inheritable Permissions from Parent to Propagate to this
Object."
At that point you should receive an option window that will allow you
to:
COPY
REMOVE or
CANCEL
You want to select COPY. This will COPY all of the users and groups
permissions to the local directory
Next, HIGHLIGHT the GROUP named "EVERYONE" and press the DELETE key.
The "EVERYONE" GROUP has now been deleted from the directory and has no
permissions and you have now locked out anyone except the users and
groups to which you specifically give permissions.
For the purposes of PHP, the "everyone" user, as referenced in the
installation instructions, can be replaced with the GROUP of "USERS" (no
quotes) from the LOCAL MACHINE on which IIS and PHP are installed, and
that use can be given the "write" permissions where the "EVERYONE" user
used to be required to have them.
If you are running on a network with a DOMAIN SERVER, do NOT use the
group "your_network_domain_name\DOMAIN USERS" as they will not have any
permissions on the local machine unless the "DOMAIN USERS" group has
been specifically added to the "local_machine_name\USERS" group.
Next, REMOVE the "USERS" group from each of your IIS web site
directories. The only users who should have permissions in those sites
are:
1. "IUSER_local_machine_name" where "local_machine_name" is the actual
name of the local machine WITHOUT the name of the domain appended to it.
ie: if the fully qualified domain name is "foo.bar.com", then the
"local_machine_name" will be "foo" and the username added to the
directory will be "IUSER_foo" with permissions set to READ & EXECUTE,
LIST and READ - there should be NO other permissions set for this user.
2. The username of the person who is responsible for sending the files
to the site via FTP. Remember, that user must be a user on the LOCAL
machine - in this case the "FOO" machine. If the name of the web site
directory for the hosted site is "PHPHEADACHES" and the site is named
"www.phpheadaches.com", on the machine named "FOO" and the username of
the person responsible for maintaining the web site www.phpheadaches.com
named "KONG" and "KONG" is using FTP to send the files up to the site
hosted on "FOO", then "KONG", a user on the "FOO" machine will have
permissions to the directory "PHPHEADACHES" with the permissions of
MODIFY, READ & EXECUTE, LIST, READ, and WRITE.
The user "KONG" should NOT have the FULL CONTROLL permissions as this
will allow him to "take ownership" of the various files and system files
that might be created in the directory. If you do not want "KONG" to be
able to execute scripts or other files in the "PHPHEADACHES" directory,
then you should UNCHECK the READ & EXECUTE setting for the user "KONG"
as well.
As the "ADMINISTRATOR" of the machine on which the web site is hosted,
you will want the local machine administrator account, in this case
"FOO\ADMINISTRATOR" to have FULL CONTROL of the web site directory
"PHPHEADACHES". If the web site machine "FOO" is part of a domain and
your administrative account get's it's administrative permissions from a
domain controller, you will also want to add the ADMINISTRATOR(S)"
account for the domain to the directory "PHPHEADACHES" and give that
account FULL CONTROLL as well. In this case, the addition of the domain
administrator(s) account would look like this
"BAR.COM\ADMINISTRATOR(S)". The "BAR.COM\ADMINISTRATOR(S)" account
should have FULL CONTROLL in the directory PHPHEADACHES.
If you have users on the domain bar.com who are responsible for
maintaining the web site and they are not part of the administrators
group of "BAR.COM\ADMINISTRATORS" and you want them to have access in
the directory "PHPHEADACHES", then you need to also add those users to
the directory "PHPHEADACHES" with the appropriate level of permissions.
Next you should have the "SYSTEM" account for the "LOCAL MACHINE", in
this case "FOO", added to the directory with FULL access to the
directory.
When you APPLY the permissions, you should make sure you check the box
that applies the users and permissions to the SUB-DIRECTORIES as well.
If the web site is running Front Page Server Extensions, then it will
also contain three additional groups. Those groups will be specific to
the web site name. In the case of www.phpheadaches.com the groups will
be:
"www.phpheadaches.com Admins"
"www.phpheadaches.com Authors"
"www.phpheadaches.com Browsers"
You will need to add the appropriate users from the LOCAL MACHINE or
from the DOMAIN to each of these GROUPS on the LOCAL MACHINE.
To complete the installation, follow the instructions supplied with PHP
for Windows 2000 Server and you should have no problems. If you have
any problems, just remember to run PHPINFO() from within a script and
check the results against what you think they should be.
If you are setting up a new server, you should remove the EVERYONE group
from all logical drives IMMEDIATELY - before allowing any user other
than the ADMINISTRATOR to have access to the system for the first time.
If you have already installed software on the system and have users with
established rights to specific directories and files, this may cause
some problems for you and you will have to create new groups with
permissions to access those specific directories.
Remember, SECURITY is the MOST IMPORTANT item in the installation of any
Windows 2000 Server and IIS installation. KEEP IT ON THE BASIS OF ONLY
THOSE USERS AND GROUPS WHO NEED ACCESS HAVE ACCESS - NO ONE ELSE!
Making certain that only those users and groups who absolutely must have
permissions to any given directory on the machine, and that they have
the APPROPRIATE permissions in those directories where they have been
granted access, will save you from countless headaches, attempted server
break-ins and lots of lost revenue from downtime.
For more information on Windows 2000 Security, do a search at the
Microsoft Technet location of
"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itso
luti
ons/howto/admhow.asp" (You may be asked to establish an account on the
site, a rather lengthy process, but well worth the work for anyone who
works with Windows 2000 or any other Windows product.) Microsoft
Technet provides lots of good information and lots of other server geeks
who can assist you in locating the information if you can't find it on
your own.
Bruce Barnes ======================================================
Now Providing High-Speed Internet Access from DSL.NET!
from xDSL to a full T-1 - need some? Call or visit
our web site at http://www.ChicagoNetTech.com/dsl.html
======================================================
ChicagoNetTech
3401 W Beach Ave
Chicago IL 60651-2332
mailto:[EMAIL PROTECTED]
http://www.ChicagoNetTech.com
773.365.0105 Office
773.365.0108 Fax
773.491.9019 Cell ======================================================
Secure & Encrypted Remote Data Backup
Server Co-Location Services
Computer Network Design, Installation & Maintenance
Telecomm Network Design, Installation & Maintenance
Web Site Design & Hosting
======================================================
It ALWAYS costs less to do it right the FIRST time!
======================================================
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 09:15
To: [EMAIL PROTECTED]
Subject: [PHP-WIN] Configuring securely in IIS5
I have been able to install php and get it running on our test server
running IIS5. Everything is going fine, but now I am beginning to ponder
the question, how do I secure this when it goes live?
I have read through the installation documentation, and read the
security chapter of the php manual that I downloaded from the php.net
website.
Various queries to Google have been unproductive, so I thought I may
check here.
Now, I am not talking about script internals security (that will be
handled more by our development team), just mainly how to configure php
on the server so that I don't have people tearing the darn thing down
when this site goes live. We are using the ISAPI module.
I have seen numerous tidbits on Apache, but we are going to be using
IIS.
Can anyone point me to a book, FAQ, examples, anything to set me on the
way?
Thanks a ton
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
I'm afraid I stand by my answers bar one:
re the recent security scare: quote from the php.net "It is known that
Apache (any version) and iPlanet servers are vulnerable to this issue,
however Microsoft IIS is not." This person states he is using IIS.
re PHP being "as secure as the pages you program" - not really a server
security issue is it? If he wants to put a link saying "read all my
passwords" then that's his business.
re the POST vulnerability, I'll retract my comment on that
-----Original Message-----
From: Bryan Henry [mailto:[EMAIL PROTECTED]]
Sent: 02 April 2002 18:25
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
>>All PHP does, is create a dynamic webpage, ie create a web page
>>"on-the-fly". This does not expose any holes any more than creating an
html
>>page does.
not true - PHP is as secure as the pages you program.
lack of user input verification is a good example.
>>There was recently a scare at php.net where a security loophole
>>was found, but it didn't concern windows users I believe.
not true - it affected any server running PHP v3.0.10-v3.0.18, v4.0.1-v4.1.1
with at least one .php file on it. Everyone was encouraged to upgrade to
4.1.2
>>Because the PHP development is a very much open-source project,
>>any holes are spotted and repaired much faster than, say, a
>>hole was discovered in IIS.
Again, the bug was spotted years ago, supposedly by some hacker community.
It was just not reported and fixed until the 4.1.2 release.
->the POST vulnerability is covered here.
->http://security.e-matters.de/advisories/012002.html
->using the php binary to read and execute files on windows.
->http://www.php.net/release_4_1_2_win32.php
->[ this was not a problem for IIS you will be running ]
~ b r y a n
-----Original Message-----
From: Ross Fleming [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 10:51 AM
To: Eric Gentry; [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
So far as I'm aware, you're correct, secure IIS and php is secure as well.
I once saw a report in a security website or magazine (i think the latter)
complaining that PHP was insecure in so much that variables were posted with
the header details and could therefore be intercepted. This in itself is
not so much a problem of PHP, and can be worked around by using sessions I
believe. All PHP does, is create a dynamic webpage, ie create a web page
"on-the-fly". This does not expose any holes any more than creating an html
page does. There was recently a scare at php.net where a security loophole
was found, but it didn't concern windows users I believe. Because the PHP
development is a very much open-source project, any holes are spotted and
repaired much faster than, say, a hole was discovered in IIS.
Can anyone else confirm this with me?
Ross
-----Original Message-----
From: Eric Gentry [mailto:[EMAIL PROTECTED]]
Sent: 02 April 2002 16:28
To: [EMAIL PROTECTED]
Subject: RE: [PHP-WIN] Configuring securely in IIS5 under Windows 2000
Server
Bruce,
Thanks for all of you input, it is much appreciated it.
I do know about securing IIS, but I was concerned about security when
adding PHP into the mix.
>From the answers I received, I am assuming that the security is in the
OS/Server software, and that there aren't any inherent security measure
to be taken with PHP? In short, if the OS/web server is fairly secure,
PHP does not break that, correct? That is my main concern.
Thanks,
Eric
--- End Message ---
--- Begin Message ---
Using the script below, I was able to connect to the database named
"contacts" for
output.
*However*, when I insert a [username] and [password] in place of the "" "",
I get:
"Couldn't connect to the database" - eventhough I am able to connect to
mysql.
How do I go about replacing the "" and "" to insert a password and username
so that it can be connected to a database?
Any advice will be greatly appreciated.
TR
.................................................
<HTML>
<BODY>
<?
$connection=mysql_connect("localhost","","");
if(!$connection)
{
echo "Couldn't connect.";
exit;
}
$db=mysql_select_db("contacts",$connection);
if(!$db)
{
echo "Couldn't connect to the database.";
exit;
}
$sql="SELECT * FROM leads";
$mysql_result=mysql_query($sql, $connection);
$num_rows=mysql_num_rows($mysql_result);
if($num_rows==0)
{
echo "There is no information";
}
else
{
echo"<TABLE ALIGN=\"Center\" BORDER=\"1\">";
echo"<TR><TH><FONT FACE =\"Arial\" SIZE=\"2\">First Name</TH><TH><FONT FACE
=\"Arial\" SIZE=\"2\">Last Name</TH><TH><FONT FACE =\"Arial\"
SIZE=\"2\">email</TH><TH><FONT FACE =\"Arial\" SIZE=\"2\">State</TH>";
while($row=mysql_fetch_array($mysql_result))
{
$fname=$row["fname"];
$lname=$row["lname"];
$email=$row["email"];
$state=$row["state"];
$ID=$row["ID"];
echo " <TR><TH><FONT FACE =\"Arial\" SIZE=\"2\">$fname</TH><TH><FONT FACE
=\"Arial\" SIZE=\"2\">$lname</TH><TH><FONT FACE =\"Arial\"
SIZE=\"2\">$email</TH><TH><FONT FACE =\"Arial\"
SIZE=\"2\">$state</TH></TR>";
}
}
mysql_close($connection);
?>
</BODY>
</HTML>
--- End Message ---
--- Begin Message ---
No one can help?! Please, please, please...
"Tim Mackenzie" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm running W2K with Apache and PHP4. I'm going to be hosting a number of
> websites that I would like to provide PHP support for. What I don't want
is
> them to be able to access my entire file system. They should, at most, be
> only allowed read/write access to their site folder. How do I go about
> doing this? I've looked around, but I haven't found something that
> addresses this. I know there's the basedir value (I think that's it), but
I
> don't understand how to use it. Could somebody (several people) please
post
> any tips they have for securing the file system of a web server. Thanks!
>
>
--- End Message ---
--- Begin Message ---
No offence, but chances are that no-one is answering because it's not a PHP
related question. My advice to you is to read the faq's at apache.org (the
correct address you need is http://httpd.apache.org/docs/misc/FAQ.html
specifically section E) and set up apache securely first (which is not too
difficult, by default, apache only gives people read access to everything
within the htdocs folder and nothing else) and once you've done that,
install PHP on top of it. You'll find that PHP makes little or no
difference to the security of your web-server. Reading your email a bit
more thoroughly it seems that you want to host several websites from one
machine, yes? In which case, you want to use the Virtual Hosts functions of
Apache, see http://httpd.apache.org/docs/vhosts/ for further details.
Anyway, good luck. Oh and another link I just found is the support web-ring
for apache: http://p.webring.com/navcgi?ring=apachesupport;list
Have fun! :)
Ross
-----Original Message-----
From: Tim Mackenzie [mailto:[EMAIL PROTECTED]]
Sent: 02 April 2002 16:47
To: [EMAIL PROTECTED]
Subject: [PHP-WIN] Re: Security using Apache & Windows
No one can help?! Please, please, please...
"Tim Mackenzie" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm running W2K with Apache and PHP4. I'm going to be hosting a number of
> websites that I would like to provide PHP support for. What I don't want
is
> them to be able to access my entire file system. They should, at most, be
> only allowed read/write access to their site folder. How do I go about
> doing this? I've looked around, but I haven't found something that
> addresses this. I know there's the basedir value (I think that's it), but
I
> don't understand how to use it. Could somebody (several people) please
post
> any tips they have for securing the file system of a web server. Thanks!
>
>
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
