>I'd like to know if there is any vulnerability with PHP 4.0.4 pl1 running
>IIS servers.
None that I'm aware of that are due to php, unless you write silly scripts
which allow access to things they shouldn't. There are probably uncountable
NT vulnerabilities though. One which recently frightened me was that if you
append +.htr to a requested URL (eg www.mydomain.com/myphpfile.php  - or
indeed myaspfile.asp) on a standard setup you get the script source complete
with any passwords you were unwise enough to put in there. Easily fixed by
removing the .htr script mapping in the internet service manager, but
frightening to find out you've been running your servers for several years
whilst unaware of the problem.

Phil Driscoll
Dial Solutions
+44 (0)113 294 5112

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to