Windows server 2003 Security - Javascript

Pantho · 02-20-2008, 09:30 AM

Me and a friend have purchased a dedicated server.

This box is running Windows 2003 Standard R2 x86

We use it as a web server along with running a game server (CS:S)

We are having a debate on the security issues implied with enabling Javascript inside Internet Explorer 7 on the server.

When using remote desktop, we want to be able to download mods/mappacks etc for the server. But doing this is difficult as most websites require javascript enabled.

I know javascript enabled is a security risk if the user visits a "dodgy" website.

But is it a security risk just being enabled? He seems to insist people could use php exploits to upload/activate custom javascripts on the server.

I cannot find any reference to these exploits on the internet, ive found some with shell/asp scripts but not with javascript.

Thankyou

/pantho

**XtabbedoutX** · 02-20-2008, 02:49 PM

I would disable it AS LONG AS you are only going to download map packs and patches. I would not surf the internet with a server any way. Use a client computer to download the map packs and patches then upload them to the server.

With a gaming server you have to leave ports open anyway so that is a greater security risk than java script.

Pantho · 02-20-2008, 07:15 PM

Quote:

Originally Posted by XtabbedoutX

I would disable it AS LONG AS you are only going to download map packs and patches. I would not surf the internet with a server any way. Use a client computer to download the map packs and patches then upload them to the server.

With a gaming server you have to leave ports open anyway so that is a greater security risk than java script.

Problem with servilely limited upload capabilities on client side.

But i already decided on the action, and jscript will be disabled.

But i am trying to settle a debate on the subject :)

Does enabling javascript, even if we never surfed the internet, have any significant security risks?

**XtabbedoutX** · 02-21-2008, 10:16 AM

Quote:

Originally Posted by Pantho

But is it a security risk just being enabled? He seems to insist people could use php exploits to upload/activate custom javascripts on the server.

No. You can run JavaScript on a server without having it enabled in IE anyway. JavaScript is used for more than just websites.

I have a content filter that the management console is written in java and does not use a browser.

02-20-2008, 09:30 AM	#1 (permalink)
Pantho Registered User Join Date: Feb 2008 Posts: 2 OS: xp,vista,centos,2003server	Windows server 2003 Security - Javascript Me and a friend have purchased a dedicated server. This box is running Windows 2003 Standard R2 x86 We use it as a web server along with running a game server (CS:S) We are having a debate on the security issues implied with enabling Javascript inside Internet Explorer 7 on the server. When using remote desktop, we want to be able to download mods/mappacks etc for the server. But doing this is difficult as most websites require javascript enabled. I know javascript enabled is a security risk if the user visits a "dodgy" website. But is it a security risk just being enabled? He seems to insist people could use php exploits to upload/activate custom javascripts on the server. I cannot find any reference to these exploits on the internet, ive found some with shell/asp scripts but not with javascript. Thankyou /pantho

02-20-2008, 02:49 PM	#2 (permalink)
XtabbedoutX TSF Enthusiast Join Date: Sep 2007 Location: Oklahoma City Posts: 1,189 OS: Server 2K3 R2 SP 2, Server 2K SP4, XP PRO SP 3, Mac OS X 10.5, iPhone My System	Re: Windows server 2003 Security - Javascript I would disable it AS LONG AS you are only going to download map packs and patches. I would not surf the internet with a server any way. Use a client computer to download the map packs and patches then upload them to the server. With a gaming server you have to leave ports open anyway so that is a greater security risk than java script.