XAMPP

[jtusa]

I was thinking about running XAMPP for a closed, internal website just for our team at work. I want to run a wiki and some other stuff on it just for us to keep notes, etc. I realize XAMPP is intended for testing and dev, not production, but this server is firewalled and closed off from the outside. However, I still want to take the necessary precautions to make sure it's as locked down as it can be.

I was planning on using the non-install version on a Windows server. What settings can I change to make it as secure as possible? I saw the lampp security command that can be run, but I'm looking for anything on top of that.

I'm going this route so I can avoid an actual install on the server. I don't want to have to get IIS running and install PHP, MySQL, etc. Thanks in advance for any input.

 

[troytime]

installing apache, php and mysql is probably just as easy and a LOT more flexible

 

[n0cmonkey]

I'd start by removing PHP.

 

[jtusa]

Originally posted by: n0cmonkey
I'd start by removing PHP.

Going to need PHP to run the wiki software.

 

[jjones]

Originally posted by: n0cmonkey
I'd start by removing PHP.

Why?

 

[jtusa]

More.

 

[n0cmonkey]

Originally posted by: jjones

Originally posted by: n0cmonkey
I'd start by removing PHP.

Why?

Link

A search of the database, maintained by the National Institute of Standards and Technology (NIST), found that Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006...

It's just bad.

 

[sourceninja]

I recently setup a wiki for my work. We used MoinMoin. It's python based, and can even run without apache (although I am running it with apache). I am very impressed with it so far. Our office has 15 people using the wiki. So far its working great.

 

[n0cmonkey]

The good stuff (suhosin, hardened PHP, etc) seems to be *nix mostly.
This mostly deals with the software on a real platform, but some of it may be applicable (pay attention to the parameters section about 1/3 down the page).

 

[troytime]

Originally posted by: n0cmonkey

Originally posted by: jjones

Originally posted by: n0cmonkey
I'd start by removing PHP.

Why?

Link

A search of the database, maintained by the National Institute of Standards and Technology (NIST), found that Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006...

It's just bad.

no offense...but thats retarded.
all of those 'security issues' aren't related to php, they're relating to poorly coded php.
if you want to give security advice, tell people to not installed phpBB and other crappy php scripts.

 

[n0cmonkey]

Originally posted by: troytime
no offense...but thats retarded.
all of those 'security issues' aren't related to php, they're relating to poorly coded php.
if you want to give security advice, tell people to not installed phpBB and other crappy php scripts.

Did you read the first link? (emphasis mine)

The reasons for this are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata.

It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months.

Obviously if you setup PHP right and use good PHP software you don't have so much to worry about. But with the proliferation of bad PHP software (43% of vulnerabilities reported in 2006 are for PHP software? :shocked: ) and piss poor default install why bother?