1
artigas
PHP flags and site security ????
  • 2005/3/14 2:58

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings - Newbie question about security.

It is my understanting that there are some flags that need to be turned off for security reasons in the PHP.INI configuration file.

One of them is 'register_globals=off'.

I believe that I have seen also that 'allow_url_fopen=off' and 'register_argc_argv=off' needs to be set. Is this correct?

Are there any other flags that need a specific setting for security purposes?

Are there any other values that need to be changed besides the flags shown above?

Please note that I did search the website, read the 'protector' documents. I just need to work with individuals that host my site to get these posible security problems resolved.

Which brings me to my final question:

Is there a way to change my individual settings for my web site without having the settings changed for everyone that is being hosted?

Any assistance or enlightment provided will be appreciated.

Thanks In Advance.

2
fatman
Re: PHP flags and site security ????
  • 2005/3/14 3:38

  • fatman

  • Friend of XOOPS

  • Posts: 176

  • Since: 2003/12/13


I can't respond specifically to your security questions as I am no security expert myself. But you can change the settings of your PHP.INI file without affecting other sites on your server.

Use the php function ini_set() to override php.ini settings. So to turn globals off you could use ini_set('register_globals', 'Off')

3
artigas
Re: PHP flags and site security ????
  • 2005/3/14 3:44

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings - Thank you for your response.

I am rather new to PHP and XOOPS so I need to know in what file specifically do I make the change.

I assume that this will have to be done early in some file. The only thing that I need to know then is where?

Thanks In Advance.

4
artigas
Re: PHP flags and site security ????
  • 2005/3/14 4:01

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings - I keep finding...

Can I these security flags be added to my public_html home web directory .htaccess file and resolve the problems with the PHP security settings?

.htaccess
php_flag register_globals off
php_flag allow_url_fopen off
php_flag register_argc_argv off

And if this resolves that problem, are there any other additional values that I need to set?

Thanks In Advance.

5
fatman
Re: PHP flags and site security ????
  • 2005/3/14 4:32

  • fatman

  • Friend of XOOPS

  • Posts: 176

  • Since: 2003/12/13


You can use the ini_set method or the .htaccess method. For .htaccess your host has to specifically allow you to use this file but most hosts do and It's probably easier than using ini_set

What you have in your example above looks fine to me.


If you want to try using the ini_set() function you'll want it to get into the first script file by each XOOPS page. I would stick it right at the top of mainfile.php

6
artigas
Re: PHP flags and site security ????
  • 2005/3/14 12:54

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings -

Does anyone else have any additional information about what specific PHP items need to be set because of security reasons?

Thanks In Advance.

7
Herko
Re: PHP flags and site security ????
  • 2005/3/14 13:11

  • Herko

  • XOOPS is my life!

  • Posts: 4238

  • Since: 2002/2/4 1


hello. Have you looked here?

Herko

8
artigas
Re: PHP flags and site security ????
  • 2005/3/14 13:58

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings Herko - Thank you for your reply.

Yes, I have looked in that. If there is something about sugested settings for PHP flags and values, I missed it or could not find it.

Regards,

9
iHackCode
Re: PHP flags and site security ????

Nice Link Herko Especially Liked The XOOPS Site Security Guide. In The Downloads.

http://xoops-tips.com/mydownloads-index.htm

10
artigas
Re: PHP flags and site security ????
  • 2005/3/14 16:50

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings - This is on a remote hosted web site.

PHP Version 4.3.10

Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.6b PHP-CGI/0.1b

I tried added to the end of my .htaccess file in my public_html directory the following items.

<Directory my_path_here>
php_admin_flag register_globals off
Directory>

I also tried...
<Directory my_path_here>
php_flag register_globals off
Directory>

In both cases I got a 500 error message and the web site was inaccessible.

Any assistance would be appreciated.

Login

Who's Online

121 user(s) are online (109 user(s) are browsing Support Forums)


Members: 0


Guests: 121


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits