More Help Securing PHP Installations

More Help Securing PHP Installations
More Help Securing PHP Installations

Forwarded with permission from: Security UPDATE 


Roadmap to Email Archiving and Compliance 

Guide to SQL Server Backup and Recovery 

Beyond the Buzzword: Demystifying Virtualization 

=== CONTENTS ==================================================
IN FOCUS: More Help Securing PHP Installations 

   - Scrub Your Ajax Applications to Remove Security Problems
   - Wireless Equivalent Privacy Offers No Privacy
   - Top 10 Configuration Mistakes and How to Avoid Them
   - Recent Security Vulnerabilities

   - Security Matters Blog: NGSSoftware on Oracle Forensics
   - FAQ: View the Full Network Map in Vista
   - From the Forum: Why Does Installing Word on a Server Fix EFS 
   - Tell Us About the Products You Love!
   - Share Your Security Tips

   - Enforce Strong Passwords




=== SPONSOR: Sherpa Software ==================================
Roadmap to Email Archiving and Compliance
   How will compliance regulations affect your IT infrastructure? Help 
design your retention and retrieval, privacy and security policies to 
make sure that your organization is compliant. Download the free eBook 

=== IN FOCUS: More Help Securing PHP Installations ============   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You probably recall the Month of PHP Bugs (MOPB), which I wrote about 
in March (see the first URL below). By the end of the MOPB, 41 bugs had 
been published. Jeff Forristal, a senior research and development 
engineer at SPI Dynamics, monitored the bug postings, and mid-month, he 
wrote an article that offers a general overview and analysis (at the 
second URL below). 

Forristal's article offers some interesting information about the 
potential impact of the bugs released up to that time. Most notable is 
that two of the bugs could lead to a serious server security compromise 
for those who allow third parties to upload and run PHP-based scripts 
on their servers. Forristal wrote that "Web hosting companies offering 
PHP hosting services should be really concerned right now." 

Last week, Forristal published a second article regarding MOPB, which 
is available at the URL below. Again he offers some very interesting 
analysis that gives you plenty of reason to make absolutely certain 
that you're using the latest version of PHP 4 or 5. While the analysis 
is very helpful, I found the information in the section "Being 
proactive with your PHP installation" even more helpful. 

In that section, Forristal offers a lengthy list of various 
configuration settings that should be checked. In some cases, you might 
find that there are a lot of PHP features that your applications don't 
use and that therefore shouldn't be enabled. You can think of securing 
your PHP installation as you would any other server hardening process--
if you aren't using a component, it shouldn't be enabled on the system. 

The next version of PHP 5--PHP 5.2.2--is under development, and Release 
Candidate 1 (RC1) will have been released into testing by the time you 
read this or soon will be. While the final version release date isn't 
set yet, hopefully it won't be too far in the future. When it becomes 
available, make certain that you upgrade as soon as you can. 
Unfortunately, there isn't any news as to when a new version of PHP 4 
will become available. You can check for news at the Web site, 
and look for future announcements in the php.internals news group at 
the URL below. 

For yet more ways to secure your PHP installation, see my earlier 
article at the URL below. 

TechX Interoperability Web site and UPDATE email newsletter:
   Do you work in a mixed environment? Visit TechX World (at the first 
URL below) for information about Windows interoperability. The TechX 
World community gives you access to interoperability articles that 
aren't available anywhere else; news, tips, and tricks from interop 
experts and other users; and forums and blog posts by other community 
members. Join the TechX World community and sign up for the TechX 
Interoperability UPDATE email newsletter (at the second URL below). 

=== SPONSOR: Idera ============================================
Guide to SQL Server Backup and Recovery
   Maximize uptime by using four high-availability technologies that 
are provided by SQL Server 2005: failover clustering, database 
mirroring, log shipping and replication. Download this essential guide 
now and learn to optimize your SQL Server backup and recovery with 
technologies you already have. 

=== SECURITY NEWS AND FEATURES ================================
Scrub Your Ajax Applications to Remove Security Problems
   Fortify Software recently released an advisory that discusses what 
it calls "a new class of vulnerability: JavaScript Hijacking" that can 
affect Web applications written in Asynchronous JavaScript and XML 

Wireless Equivalent Privacy Offers No Privacy
   WEP is even less secure than originally thought. New methods can 
crack the encryption in a matter of minutes. 

Top 10 Configuration Mistakes and How to Avoid Them
   Blake Eno recently spoke with Configuresoft's Technology Strategist, 
George Gerchow, and Vice President of Marketing, Andrew Byrd, about the 
top 10 configuration mistakes most commonly made and how to avoid them. 
Get a rundown in this article on our Web site. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: HP ===============================================
Beyond the Buzzword: Demystifying Virtualization
   Total Cost of Ownership--TCO--It's every executive's favorite 
buzzword, but what does it really mean and how does it affect you? In 
this podcast, Ben Smith explains how your organization can use 
virtualization technology to measurably improve the TCO for servers and 

=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: NGSSoftware on Oracle Forensics
by Mark Joseph Edwards, 

If you use Oracle database server, you'll probably find these three new 
papers from Next Generation Security Software (NGSSoftware)'s Web site very useful. 

FAQ: View the Full Network Map in Vista
by John Savill, 

Q: How do I enable the "Full Network Map" in Windows Vista when the 
machine is part of a domain?

Find the answer at 

FROM THE FORUM: Why Does Installing Word on a Server Fix EFS Problems?
   A forum participant writes that he has two computers running Windows 
XP Professional SP2. They access Encrypting File System (EFS)-encrypted 
files on a Windows Server 2003 computer, which happens to be the domain 
controller (DC). Several types of files are encrypted, including .doc, 
.xls, .pdf, other Adobe Systems file types, and .txt. 
   Everything worked fine except that users received an error message 
when they tried to save a Word file, even one they just created. The 
forum participant installed Word on the server, and the problem went 
away. However, the participant notes that Excel, for example, is not on 
the server, and Excel operations work fine. The participant wonders if 
this is a known issue and if there's a better way of fixing the 

   What products are you using that save you time or make your workload 
a little lighter? What hot product discoveries have you made that other 
IT pros need to know about? Let the world know about your experiences 
in Windows IT Pro's monthly What's Hot department. If we publish your 
story in What's Hot, we'll send you a Best Buy gift card! Send 
information about your favorite product and how it has helped you to 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ================================================== by Renee Munshi, 

Enforce Strong Passwords
   Altus Network Solutions offers Passfilt Pro 3.54, a password 
filtering and policy enforcement solution that lets you maintain as 
many as six password policies in one Windows domain. A new client 
component provides password requirements specific to the end user, 
gauges password strength as the user types a new password, and if the 
password doesn't meet the requirements, gives the user the reasons for 
failure. Passfilt Pro is controlled by Group Policy Objects (GPOs); it 
doesn't require a separate password policy server. Passfilt Pro 
compares a proposed password against a multilanguage dictionary of more 
than 2 million common passwords and rejects any proposed passwords that 
are in the dictionary. For more information, go to 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit 

Windows + UNIX/Linux = You Need TechX World! 
   If you work in an environment that includes both Windows and UNIX or 
Linux, TechX World is the place to go for practical strategies and 
resources to add to your toolkit. This one-day technical training event 
will teach you how to make the most of open-source tools on Windows and 
how to manage and sync multiple directories. Register today! 

Get Ready for the Windows Server Longhorn Roadshow! 
   Seize control of your Windows infrastructure with Microsoft's 
biggest server release since Windows 2003. Get a live, under-the-hood 
look at Longhorn virtualization, deployment, Web services, and 
breakthroughs in core reliability. This one-day event is filled with 
demonstrations and in-depth discussions designed for IT pros who want a 
deep understanding of Windows Server Longhorn. 

Deploy Exchange Server 2007 Without a Hitch! 
   This one-day technical training event teaches you how to preempt 
pitfalls and avoid corrupting your email infrastructure. Learn how to 
effectively install, manage, and secure Exchange Server 2007 in a 64-
bit environment. You'll also get a peek into the integration of 
Outlook, SharePoint Server 2007, and Exchange Server 2007. Register 

=== FEATURED WHITE PAPER ======================================
Do you want to block unwanted or undesirable email? Download this free 
white paper to learn how to manage the content of messages traversing 
your network. 

=== ANNOUNCEMENTS =============================================
Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting June nominations now, but only for a limited 
time! Submit your nomination today: 

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods