PHP server vulnerability

Printable View

Apr 25, 2006, 09:41
jinnyruth

PHP server vulnerability

I don't know much about PHP, but you all seem to. :)

I'm working on a site for a school district. They would like to install an application that allows certain students to update several calendars. I've found and used a great PHP app for this in the past, but that's where I run into trouble. The school district hosts their own site and doesn't have PHP installed on the server. When I asked the administrator to install PHP he doesn't want to becasue they are running MS Exchange on the same server and said it will open the email server up to vulnerabilities.

Will installing PHP cause a problem really? Am I just stuck?

Thanks guys! Sorry if it's a dumb question...I'm at a loss.
Apr 25, 2006, 09:59
php_daemon

The administrator is the one who should be reinstalled :mad:. He is just too lazy to do extra work. A server will not have any vulnerabilities if installed and configured properly.

Just my 2 cents.
Apr 25, 2006, 10:20
jinnyruth

So PHP doesn't really make it any more vulnerable?
Apr 25, 2006, 10:30
ngi112

No if you know how to use it.
Apr 25, 2006, 11:42
Dan Grossman

PHP by itself doesn't make the server more vulnerable, it's poorly coded PHP scripts on the server that could open it up to hackers.
Apr 25, 2006, 13:02
Chillijam

I think that's a bit harsh on the poor admin. He is ultimately responsible for the mail server staying up, so adding anythin else is going to increase the risk of failure. I'd also refuse to put PHP on a production box that was running another service. Just one typo in a script may open the whole server to teh skr1pt k1dd13s.
Apr 25, 2006, 13:30
jinnyruth

Yes, but I've tried to explain to him that I'm not writing the script. It's a secure and trusted existing application.

He sent me this link http://www.sans.org/top20/#c3 and forwared my request to his bosses and the district administrators. My reply was:

"My understanding of what you sent me says that if you install the most recent version of PHP you are fine, and it is still almost all scripting problems. This article also details what you can do to protect yourself from such risks. I’m not sure what the problem is."

Am I making an idiot of myself on this?

Thanks!
Apr 25, 2006, 18:12
Gator99

I'd say if you're running a windows server, the last thing you'd be concerned about is installing php on it. The guy is your typical microsoft idiot, if it doesn't have pretty windows or there's not a patch to install every week, typically they'd be lost.