Re: PHP newbie questions
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 08/28/04
- Next message: Jonathan Maltz [MS-MVP]: "Re: WinSer2003"
- Previous message: Johnny Kitchens: "WinSer2003"
- In reply to: Bradley Plett: "Re: PHP newbie questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Aug 2004 21:32:54 -0700
Installing PHP support (like any other application) increases security risk
by increasing the attack surface of the server. IIS6 has taken precaution
against such risk by decreasing the privileges of the identity executing
user code like PHP and isolating configuration from user code, but
ultimately, security depends as much on your diligence in configuration as
well as IIS not having an exploitable platform (we're assuming the third
pillar of security -- that your computing environment encourages security
practices -- by you asking about security).
As for whether installing a program introduces a hole in IIS/Windows --
completely depends on what the setup program does and what you do
afterwards. If it decides to weaken ACLs on files like CMD.EXE (so that
PHP's shell() command can work, for example), then obviously that weakens
overall system security. That would be an example of a PHP security hole
and NOT a security hole in IIS/Windows (since CMD.EXE ACLs wouldn't be
weakened without PHP).
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Bradley Plett" <plettb@hotmail.com> wrote in message news:1vfki09taarvs2kq738017noi3d3pkha00@4ax.com... Thanks for your response! Re. PHP vs. Perl - I got confused due to reading I did in newsgroups. It seemed that some people used the terms interchangeably. I understand what CGI is, but didn't realize that PHP and Perl are completely separate languages. In fact, from some of my reading I was beginning to assume that PHP was just a subset of Perl, which made me wonder whether I should just install the standard Perl CGI to handle the PHP. Thanks for clearing this up for me! WRT security: yes, I'll be checking the PHP world. I just wanted confirmation that there weren't some obvious gotchas when running under IIS that the PHP people might not be aware of or point out. I can review the PHP code to make sure it's reasonable, but I wanted to know that installing PHP support on my machine to begin with didn't introduce any big holes in IIS or Windows specifically. Thanks! Brad. On Mon, 23 Aug 2004 14:42:01 -0400, "Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> wrote: >Hi, > >You should probably be asking in the PHP world how you can secure it, but >here are some points to answer your post: >1) PHP is not Perl, and Perl is not PHP. They are completely different >languages. You probably go confused because they're both "CGI" programs. >CGI = Common (key word) Gateway Interface >2) www.php.net is the correct place >3) You can install Perl and PHP on the same server (get Perl from >http://www.activestate.com/)
- Next message: Jonathan Maltz [MS-MVP]: "Re: WinSer2003"
- Previous message: Johnny Kitchens: "WinSer2003"
- In reply to: Bradley Plett: "Re: PHP newbie questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
