This morning Microsoft has released a security update that addresses the ASP.NET Security Vulnerability. The PHP applications running on IIS are subject to this vulnerability if ASP.NET is enabled in IIS.
IMPORTANT: Even if PHP applications on IIS do not use any of the ASP.NET features the vulnerability still exists as long as ASP.NET is enabled. It is recommended to install the security update as soon as possible.
The security update is available today via the Microsoft Download Center. In a next few days it will also be distributed via Windows Update channels. Once the update is on Windows Update, you can run the Windows Update on your servers to automatically apply the security patch.
If you plan to download the updates directly from Microsoft Download Center then follow the instructions in Scott Guthrie’s blog at:
ruslany on September 28th 2010 in PHP
Update on Sep 28th, 2010: The security update for the vulnerability is available. More details can be found at PHP on IIS: get the latest security updates now.
Microsoft has recently released a Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET. The PHP applications running on IIS are also subject to this vulnerability if ASP.NET is enabled in IIS.
IMPORTANT: Even if PHP application is not using any of the ASP.NET features the vulnerability still exists as long as ASP.NET is enabled.
More information about the vulnerability can be found at the following links:
This blog post describes how to protect you PHP applications on IIS from attacks that exploit this vulnerability. Continue Reading »
ruslany on September 22nd 2010 in PHP
Today IIS team has released the Dynamic IP Restrictions Extension for IIS 7.0 – Beta. The Dynamic IP Restrictions Extension provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
Install the Dynamic IP Restrictions Beta Today!
Microsoft Dynamic IP Restrictions for IIS 7.0 – Beta (x86)
Microsoft Dynamic IP Restrictions for IIS 7.0 – Beta (x64)
If IIS already has IPv4 Address and IP restrictions module enabled then Dynamic IP Restrictions installer will need to un-install the existing module in order to continue the setup process. Note that the existing IPv4 configuration will be preserved while old module is removed and new module is installed. Continue Reading »
ruslany on February 16th 2009 in Other
Recently I was told about Smashing Magazine, which turned out to be a pretty useful site. It is targeted for web developers and web designers and it contains tons of information, tools and freebies for web developers. One of the article on that site was about 10 Steps To Protect The Admin Area in WordPress. In that article step #7 described how to use web server’s built-in authentication to provide an extra protection layer for wp-admin directory, where all WordPress admin scripts are located. The article described how to do that in Apache by using .htaccess file. In this post I will explain how to protect WordPress wp-admin directory on IIS 7.0 by using IIS built-in Forms Authentication. Continue Reading »
ruslany on February 6th 2009 in PHP, WordPress