Re: PHP flags and site security ???? [Beginner's Corner]

1

PHP flags and site security ????

2005/3/14 2:58
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings - Newbie question about security.

It is my understanting that there are some flags that need to be turned off for security reasons in the PHP.INI configuration file.

One of them is 'register_globals=off'.

I believe that I have seen also that 'allow_url_fopen=off' and 'register_argc_argv=off' needs to be set. Is this correct?

Are there any other flags that need a specific setting for security purposes?

Are there any other values that need to be changed besides the flags shown above?

Please note that I did search the website, read the 'protector' documents. I just need to work with individuals that host my site to get these posible security problems resolved.

Which brings me to my final question:

Is there a way to change my individual settings for my web site without having the settings changed for everyone that is being hosted?

Any assistance or enlightment provided will be appreciated.

Thanks In Advance.

2

Re: PHP flags and site security ????

2005/3/14 3:38
fatman
Friend of XOOPS
Posts: 176
Since: 2003/12/13

I can't respond specifically to your security questions as I am no security expert myself. But you can change the settings of your PHP.INI file without affecting other sites on your server.

Use the php function ini_set() to override php.ini settings. So to turn globals off you could use ini_set('register_globals', 'Off')

3

Re: PHP flags and site security ????

2005/3/14 3:44
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings - Thank you for your response.

I am rather new to PHP and XOOPS so I need to know in what file specifically do I make the change.

I assume that this will have to be done early in some file. The only thing that I need to know then is where?

Thanks In Advance.

4

Re: PHP flags and site security ????

2005/3/14 4:01
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings - I keep finding...

Can I these security flags be added to my public_html home web directory .htaccess file and resolve the problems with the PHP security settings?

.htaccess
php_flag register_globals off
php_flag allow_url_fopen off
php_flag register_argc_argv off

And if this resolves that problem, are there any other additional values that I need to set?

Thanks In Advance.

5

Re: PHP flags and site security ????

2005/3/14 4:32
fatman
Friend of XOOPS
Posts: 176
Since: 2003/12/13

You can use the ini_set method or the .htaccess method. For .htaccess your host has to specifically allow you to use this file but most hosts do and It's probably easier than using ini_set

What you have in your example above looks fine to me.

If you want to try using the ini_set() function you'll want it to get into the first script file by each XOOPS page. I would stick it right at the top of mainfile.php

6

Re: PHP flags and site security ????

2005/3/14 12:54
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings -

Does anyone else have any additional information about what specific PHP items need to be set because of security reasons?

Thanks In Advance.

7

Re: PHP flags and site security ????

2005/3/14 13:11
Herko
XOOPS is my life!
Posts: 4238
Since: 2002/2/4 1

hello. Have you looked here?

Herko

8

Re: PHP flags and site security ????

2005/3/14 13:58
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings Herko - Thank you for your reply.

Yes, I have looked in that. If there is something about sugested settings for PHP flags and values, I missed it or could not find it.

Regards,

9

Re: PHP flags and site security ????

2005/3/14 16:45
iHackCode
Module Developer
Posts: 1038
Since: 2004/6/29

Nice Link Herko Especially Liked The XOOPS Site Security Guide. In The Downloads.

http://xoops-tips.com/mydownloads-index.htm

10

Re: PHP flags and site security ????

2005/3/14 16:50
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings - This is on a remote hosted web site.

PHP Version 4.3.10

Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.6b PHP-CGI/0.1b

I tried added to the end of my .htaccess file in my public_html directory the following items.


<Directory my_path_here>

php_admin_flag register_globals off

</Directory>

I also tried...


<Directory my_path_here>

php_flag register_globals off

</Directory>

In both cases I got a 500 error message and the web site was inaccessible.

Any assistance would be appreciated.

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}