| Re: Protector Module Security Problems |
| by m0nty on 2005/4/23 6:19:19 i can confirm that the php.ini method works when php is in CGI mode and .htaccess isn't possible.. have just done it on a 1 & 1 server as they use CGI unfortunately.. it was nice also to be able to set other things.. hehehe register_globals = Off allow_url_fopen = Off memory_limit = 40M post_max_size = 32M <was 8M> upload_max_filesize = 20M <was 2M> |
| Re: Protector Module Security Problems |
| by xianxoop on 2005/4/19 6:19:07 place this in your php.ini register_globals = Off allow_url_fopen = Off ----------- Some companies are running cgi instead of php According to them you need to put this php.ini in the following directories: public_html, in the any modules that you are running . i.e /public_html/modules/protector, /public_html/modules/protector/admin, /public_html/modules/downloads/admin and so on and so on So if your hosting company is running cgi instead of php (for any reason), you are screwed. “ Unless some one corrects this insanity.” So please tell me these are nonsense and there is better way to do this. |
| Re: Protector Module Security Problems |
| by jdseymour on 2005/4/19 1:52:45 It would be a good idea to post this at the Developer's Forum. He could answer this, but he does not come to this site very often.
|
| Re: Protector Module Security Problems |
| by sensei88 on 2005/4/19 1:03:28 .... |
| Protector Module Security Problems |
| by sensei88 on 2005/4/14 6:07:29 I recently changed servers and normally I implement the changes proposed by the protector module in the .htaccess file. My new server though edits the .htaccess to comment out my changes saying: # For security reasons, mod_php is not used on this server. Use a php.ini file for php directives # php_flag register_globals off So I went to my php.ini and changed to register_globals = Off register_argc_argv = Off I was unable to find anything related to 'allow_url_fopen'. Now the thing that bothers me is that when I go to my protector module and run the security advisory, it says: 'register_globals' : on Not secure This setting invites a variety of injecting attacks. If you can put .htaccess, edit or create... /home/xxx/public_html/.htaccess php_flag register_globals off 'allow_url_fopen' : on Not secure This setting allows attackers to execute arbitrary scripts on remote servers. Only administrator can change this option. If you are an admin, edit php.ini or httpd.conf. Sample of httpd.conf: php_admin_flag allow_url_fopen off Else, claim it to your administrators. I know that register_globals is off from running a phpinfo(), so why does it say that its on. Also where can I change allow_url_fopen to off in php.ini? |