11
iHackCode
Re: PHP flags and site security ????

i just put

php_flag register_globals off


my .htaccess file in XOOPS root looks like this
php_flag   register_globals   off
<Files admin.php>
order deny,allow
deny from all
allow from 216.239
Files>
<
Files "mainfile.php">
Deny from all
Files>
Options All -Indexes


*216.239 is not part of my ip address i edited it so no one would know what i actually put in there.


12
artigas
Re: PHP flags and site security ????
  • 2005/3/14 17:30

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings Bandit-X - Thank you for your response.

I tried it like you mentioned it and I still get the 500 error and the web site becomes inaccessible. Here is the actual text of the message showing on the web page.

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, [me] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.


I am somewhat at a loss here. This should work. It is got to be something that I do not know that is getting me.

Regards,

13
iHackCode
Re: PHP flags and site security ????

What Does The Error Log Say. ?

-Found This Online

"However, if your host has used php_admin_flag or php_admin_value in one of the httpd configuration files then you can not override this via .htaccess/ini_set etc."

14
Dave_L
Re: PHP flags and site security ????
  • 2005/3/14 18:41

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Don't use the the "Directory" directive in an .htaccess file. I'm pretty sure that's not allowed.

15
artigas
Re: PHP flags and site security ????
  • 2005/3/14 18:58

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings Bandit-X and Dave_L -

Thank you for your replies. I will attempt the other method which was to set the flags programmatically from mainfile.php.

Regards,

16
Dave_L
Re: PHP flags and site security ????
  • 2005/3/14 19:27

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


According to the PHP manual, register_globals cannot be set using ini_set(), but only within php.ini, httpd.conf or .htaccess.

17
artigas
Re: PHP flags and site security ????
  • 2005/3/14 19:48

  • artigas

  • Quite a regular

  • Posts: 208

  • Since: 2004/12/21


Greetings Dave_L - Your are correct.

register_globals boolean
Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables.

As of PHP 4.2.0, this directive defaults to off.

Please read the security chapter on Using register_globals for related information.

Please note that register_globals cannot be set at runtime (ini_set()). Although, you can use .htaccess if your host allows it as described above. An example .htaccess entry: php_flag register_globals off.

Note: register_globals is affected by the variables_order directive.


Thank You for your response.
Regards,
Roberto Artigas

18
tjnemez
Re: PHP flags and site security ????
  • 2005/3/14 20:56

  • tjnemez

  • Home away from home

  • Posts: 1594

  • Since: 2003/9/21


anyone know how to set 'allow_url_fopen' to off? i get the following message in my security advisory:

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.

19
Dave_L
Re: PHP flags and site security ????
  • 2005/3/14 21:03

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


allow_url_fopen can only be set in php.ini or httpd.conf. If you don't have access to those files, you can't change that setting.

20
tjnemez
Re: PHP flags and site security ????
  • 2005/3/14 21:07

  • tjnemez

  • Home away from home

  • Posts: 1594

  • Since: 2003/9/21


thanks dave, thats what i thought. i have contacted my hosting co.

Login

Who's Online

105 user(s) are online (89 user(s) are browsing Support Forums)


Members: 0


Guests: 105


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits