Security UPDATE--More Help Securing PHP Installations--April 11, 2007

IN FOCUS: More Help Securing PHP Installations

NEWS AND FEATURES

- Scrub Your Ajax Applications to Remove Security Problems

- Wireless Equivalent Privacy Offers No Privacy

- Top 10 Configuration Mistakes and How to Avoid Them

- Recent Security Vulnerabilities

GIVE AND TAKE

- Security Matters Blog: NGSSoftware on Oracle Forensics

- FAQ: View the Full Network Map in Vista

- From the Forum: Why Does Installing Word on a Server Fix EFS Problems?

- Tell Us About the Products You Love!

- Share Your Security Tips

PRODUCTS

- Enforce Strong Passwords

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS

=== SPONSOR: Sherpa Software

Roadmap to Email Archiving and Compliance

How will compliance regulations affect your IT infrastructure? Help design your retention and retrieval, privacy and security policies to make sure that your organization is compliant. Download the free eBook today!

http://www.windowsitpro.com/go/ebooks/sherpa/compliance/?code=SecTop0411

=== IN FOCUS: More Help Securing PHP Installations

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You probably recall the Month of PHP Bugs (MOPB), which I wrote about in March (see the first URL below). By the end of the MOPB, 41 bugs had been published. Jeff Forristal, a senior research and development engineer at SPI Dynamics, monitored the bug postings, and mid-month, he wrote an article that offers a general overview and analysis (at the second URL below).

http://www.windowsitpro.com/Article/ArticleID/95328/95328.html

http://portal.spidynamics.com/blogs/jeff/archive/2007/03/19/Month-of-PHP-Bugs_3A00_-Mid_2D00_month-analysis.aspx

Forristal's article offers some interesting information about the potential impact of the bugs released up to that time. Most notable is that two of the bugs could lead to a serious server security compromise for those who allow third parties to upload and run PHP-based scripts on their servers. Forristal wrote that "Web hosting companies offering PHP hosting services should be really concerned right now."

Last week, Forristal published a second article regarding MOPB, which is available at the URL below. Again he offers some very interesting analysis that gives you plenty of reason to make absolutely certain that you're using the latest version of PHP 4 or 5. While the analysis is very helpful, I found the information in the section "Being proactive with your PHP installation" even more helpful.

http://portal.spidynamics.com/blogs/jeff/archive/2007/04/03/The-current-state-of-PHP-security-_2800_w_2F00_-MOPB-full-review_2900_.aspx

In that section, Forristal offers a lengthy list of various configuration settings that should be checked. In some cases, you might find that there are a lot of PHP features that your applications don't use and that therefore shouldn't be enabled. You can think of securing your PHP installation as you would any other server hardening process--if you aren't using a component, it shouldn't be enabled on the system.

The next version of PHP 5--PHP 5.2.2--is under development, and Release Candidate 1 (RC1) will have been released into testing by the time you read this or soon will be. While the final version release date isn't set yet, hopefully it won't be too far in the future. When it becomes available, make certain that you upgrade as soon as you can. Unfortunately, there isn't any news as to when a new version of PHP 4 will become available. You can check for news at the PHP.net Web site, and look for future announcements in the php.internals news group at the URL below.

http://news.php.net/php.internals

For yet more ways to secure your PHP installation, see my earlier article at the URL below.

http://www.windowsitpro.com/Article/ArticleID/95404

===

TechX Interoperability Web site and UPDATE email newsletter:

Do you work in a mixed environment? Visit TechX World (at the first URL below) for information about Windows interoperability. The TechX World community gives you access to interoperability articles that aren't available anywhere else; news, tips, and tricks from interop experts and other users; and forums and blog posts by other community members. Join the TechX World community and sign up for the TechX Interoperability UPDATE email newsletter (at the second URL below).

http://techxworld.com

http://techxworld.com/community/reg

=== SPONSOR: Idera

Guide to SQL Server Backup and Recovery

Maximize uptime by using four high-availability technologies that are provided by SQL Server 2005: failover clustering, database mirroring, log shipping and replication. Download this essential guide now and learn to optimize your SQL Server backup and recovery with technologies you already have.

http://www.sqlmag.com/go/essential/idera/backupandrecovery/?code=SecMid0411

=== SECURITY NEWS AND FEATURES

Scrub Your Ajax Applications to Remove Security Problems

Fortify Software recently released an advisory that discusses what it calls "a new class of vulnerability: JavaScript Hijacking" that can affect Web applications written in Asynchronous JavaScript and XML (Ajax).

http://www.windowsitpro.com/Article/ArticleID/95721

Wireless Equivalent Privacy Offers No Privacy

WEP is even less secure than originally thought. New methods can crack the encryption in a matter of minutes.

http://www.windowsitpro.com/Article/ArticleID/95716

Top 10 Configuration Mistakes and How to Avoid Them

Blake Eno recently spoke with Configuresoft's Technology Strategist, George Gerchow, and Vice President of Marketing, Andrew Byrd, about the top 10 configuration mistakes most commonly made and how to avoid them. Get a rundown in this article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/95609

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

=== SPONSOR: HP

Beyond the Buzzword: Demystifying Virtualization

Total Cost of Ownership--TCO--It's every executive's favorite buzzword, but what does it really mean and how does it affect you? In this podcast, Ben Smith explains how your organization can use virtualization technology to measurably improve the TCO for servers and clients.

http://www.windowsitpro.com/go/podcast/hp/virtualization/?code=SecHot0411

=== GIVE AND TAKE

SECURITY MATTERS BLOG: NGSSoftware on Oracle Forensics

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

If you use Oracle database server, you'll probably find these three new papers from Next Generation Security Software (NGSSoftware)'s Databasesecurity.com Web site very useful.

http://www.windowsitpro.com/Article/ArticleID/95698

FAQ: View the Full Network Map in Vista

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How do I enable the "Full Network Map" in Windows Vista when the machine is part of a domain?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/95047

FROM THE FORUM: Why Does Installing Word on a Server Fix EFS Problems?

A forum participant writes that he has two computers running Windows XP Professional SP2. They access Encrypting File System (EFS)-encrypted files on a Windows Server 2003 computer, which happens to be the domain controller (DC). Several types of files are encrypted, including .doc, .xls, .pdf, other Adobe Systems file types, and .txt.

Everything worked fine except that users received an error message when they tried to save a Word file, even one they just created. The forum participant installed Word on the server, and the problem went away. However, the participant notes that Excel, for example, is not on the server, and Excel operations work fine. The participant wonders if this is a known issue and if there's a better way of fixing the problem.

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=84708&enterthread=y

TELL US ABOUT THE PRODUCTS YOU LOVE!

What products are you using that save you time or make your workload a little lighter? What hot product discoveries have you made that other IT pros need to know about? Let the world know about your experiences in Windows IT Pro's monthly What's Hot department. If we publish your story in What's Hot, we'll send you a Best Buy gift card! Send information about your favorite product and how it has helped you to [email protected].

SHARE YOUR SECURITY TIPS AND GET $100

Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS

by Renee Munshi, [email protected]

Enforce Strong Passwords

Altus Network Solutions offers Passfilt Pro 3.54, a password filtering and policy enforcement solution that lets you maintain as many as six password policies in one Windows domain. A new client component provides password requirements specific to the end user, gauges password strength as the user types a new password, and if the password doesn't meet the requirements, gives the user the reasons for failure. Passfilt Pro is controlled by Group Policy Objects (GPOs); it doesn't require a separate password policy server. Passfilt Pro compares a proposed password against a multilanguage dictionary of more than 2 million common passwords and rejects any proposed passwords that are in the dictionary. For more information, go to

http://www.altusnet.com/products/passfilt-pro/

=== RESOURCES AND EVENTS

For more security-related resources, visit

http://www.windowsitpro.com/go/securityresources

Windows + UNIX/Linux = You Need TechX World!

If you work in an environment that includes both Windows and UNIX or Linux, TechX World is the place to go for practical strategies and resources to add to your toolkit. This one-day technical training event will teach you how to make the most of open-source tools on Windows and how to manage and sync multiple directories. Register today!

http://www.techxworld.com/registration/?code=epromo

Get Ready for the Windows Server Longhorn Roadshow!

Seize control of your Windows infrastructure with Microsoft's biggest server release since Windows 2003. Get a live, under-the-hood look at Longhorn virtualization, deployment, Web services, and breakthroughs in core reliability. This one-day event is filled with demonstrations and in-depth discussions designed for IT pros who want a deep understanding of Windows Server Longhorn.

http://www.windowsitpro.com/roadshows/longhorn/?code=epromo

Deploy Exchange Server 2007 Without a Hitch!

This one-day technical training event teaches you how to preempt pitfalls and avoid corrupting your email infrastructure. Learn how to effectively install, manage, and secure Exchange Server 2007 in a 64-bit environment. You'll also get a peek into the integration of Outlook, SharePoint Server 2007, and Exchange Server 2007. Register today!

http://www.windowsitpro.com/roadshows/exchange2007usa/?code=epromo

=== FEATURED WHITE PAPER

Do you want to block unwanted or undesirable email? Download this free white paper to learn how to manage the content of messages traversing your network.

http://www.windowsitpro.com/go/whitepapers/stbernard/cleanup/?code=0305featwp

=== ANNOUNCEMENTS

Introducing a Unique Security Resource

Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

https://store.pentontech.com/index.cfm?s=1&promocode=eu2574us

Grab Your Share of the Spotlight!

Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting June nominations now, but only for a limited time! Submit your nomination today:

http://www.windowsitpro.com/go/itpromonth