PHP server vulnerability
I don't know much about PHP, but you all seem to. :)
I'm working on a site for a school district. They would like to install an application that allows certain students to update several calendars. I've found and used a great PHP app for this in the past, but that's where I run into trouble. The school district hosts their own site and doesn't have PHP installed on the server. When I asked the administrator to install PHP he doesn't want to becasue they are running MS Exchange on the same server and said it will open the email server up to vulnerabilities.
Will installing PHP cause a problem really? Am I just stuck?
Thanks guys! Sorry if it's a dumb question...I'm at a loss.
The administrator is the one who should be reinstalled :mad:. He is just too lazy to do extra work. A server will not have any vulnerabilities if installed and configured properly.
Just my 2 cents.
So PHP doesn't really make it any more vulnerable?
No if you know how to use it.
PHP by itself doesn't make the server more vulnerable, it's poorly coded PHP scripts on the server that could open it up to hackers.
I think that's a bit harsh on the poor admin. He is ultimately responsible for the mail server staying up, so adding anythin else is going to increase the risk of failure. I'd also refuse to put PHP on a production box that was running another service. Just one typo in a script may open the whole server to teh skr1pt k1dd13s.
Yes, but I've tried to explain to him that I'm not writing the script. It's a secure and trusted existing application.
He sent me this link http://www.sans.org/top20/#c3 and forwared my request to his bosses and the district administrators. My reply was:
"My understanding of what you sent me says that if you install the most recent version of PHP you are fine, and it is still almost all scripting problems. This article also details what you can do to protect yourself from such risks. Iím not sure what the problem is."
Am I making an idiot of myself on this?
I'd say if you're running a windows server, the last thing you'd be concerned about is installing php on it. The guy is your typical microsoft idiot, if it doesn't have pretty windows or there's not a patch to install every week, typically they'd be lost.