Educause Security Discussion mailing list archives

Re: PHP and IIS/IPlanet

From: Clyde Hoadley <hoadleyc () MSCD EDU>
Date: Tue, 23 Dec 2003 08:48:15 -0700

Just like any software, PHP has its fair share of bugs and other
vulnerabilities.  For a good list of known vulnerabilities in PHP,
see: "http://www.securityfocus.com/bid"; and select PHP from the
drop down menu.

I'm not an expert in PHP but I would encourage you to insure that
the host server has been properly installed, patched, configured
and hardened.  I would suggest that it be firewalled.  Then, insure
that the PHP interpreter has been properly installed and configured.
Finally, ensure that the people that develop the scripts are aware
of security issues and secure programming techniques.  They should
already know about cleansing the input, parameter checking etc...

You might find the following links useful:

PHP Security, Part 1
http://www.onlamp.com/pub/a/php/2003/07/31/php_foundations.html

PHP Security, Part 2
http://www.onlamp.com/pub/a/php/2003/08/28/php_foundations.html

Securing PHP: Step-by-step
http://www.securityfocus.com/infocus/1706

Securing Apache: Step-by-Step
http://www.securityfocus.com/infocus/1694

BASIC IIS 5.0 DEFAULT WEB SERVER SECURITY
http://www.sans.org/rr/papers/index.php?id=304

Building a Secure Windows ® 2000 Professional Network Installation
http://www.sans.org/rr/papers/index.php?id=218

--
Clyde Hoadley
Security & Disaster Recovery Coordinator
Division of Information Technology
Metropolitan State College of Denver
hoadleyc () mscd edu
http://clem.mscd.edu/~hoadleyc/
(303) 556-5074


West, David F. wrote:

Is anyone running PHP (http://us3.php.net/manual/en/faq.general.php) on their IIS or other webservers? Any security or 
other issues seen from this?

Thanks!!
Dave West
Network Administrator
Saint Augustine's College
dfwest () st-aug edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

PHP and IIS/IPlanet West, David F. (Dec 22)
- <Possible follow-ups>
- Re: PHP and IIS/IPlanet Barros, Jacob (Dec 23)
- Re: PHP and IIS/IPlanet Clyde Hoadley (Dec 23)