News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ruslan Yakushev's Blog:
ASP.NET vulnerability affecting PHP sites on IIS
September 23, 2010 @ 08:50:46

As Ruslan Yakushev points out in this new blog entry, the same security issue that's effecting ASP.NET pages running on IIS web servers can still open up PHP scripts running on the same server.

Microsoft has recently released a Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET. The PHP applications running on IIS are also subject to this vulnerability if ASP.NET is enabled in IIS.

The issue allows attackers to access the contents of various files on the server and could allow them to tamper with the data inside. Ruslan notes that, while Microsoft is coming up with a fix, one of the safest things you can do is either completely disable ASP.NET in the IIS server or use this workaround.

3 comments voice your opinion now!
iis vulnerability aspnet disable workaround security


Pierre-Alain Joye's Blog:
how to do not work around filter (don't be lazy )
December 22, 2006 @ 07:14:01

On his blog, Pierre-Alain Joye talks about the ext/filter extension and how several developers just choose to "work around" it instead of using its features right out.

On the other hand, the same persons worked around ext/filter with ugly hacks. Edin pointed me to one of these horrible codes in Serendipity, as I saw this code in other applications like flyspray, I think it is time to raise your attention about what to do not do.

The code he's referencing is a snippet that manually filters each of the superglobals to get rid of any problems that might have been put in. He points out two security problems with the code too: only use PHP functions as a fallback when filter isn't available and never use the superglobals directly outside of the filtering.

Stefan Esser has his own comments on the topic too. He votes for the other way around (own functions over filter's methods) and expresses the opinion that the ext/filter extension is a bad idea similar to the impropper use of magic_quotes_gpc.

Pierre has also responded to these comments in an update to how own blog entry. Check it out for the full story...

1 comment voice your opinion now!
pecl filter extension workaround example serendipity pecl filter extension workaround example serendipity



Community Events





Don't see your event here?
Let us know!


laravel introduction podcast series symfony interview update zendserver list deployment tips library api community language framework install opinion package release

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework