XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. Xoops Development / 
  3. Xoops Bug Reports 
  4.  / Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability
Register
11
Bezoops
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability

  • 2005/11/22 17:14

  • Bezoops

  • Friend of XOOPS

  • Posts: 38

  • Since: 2004/12/9


* About this Vulnerability:
Really, from now, protector module prevent to this kind of attacks, named Variables contaminations.

* About php flags:
In my web site explain me that i can configure each php.ini for each foder, but i cannot make a php.ini for all the site.

Need I to put php.ini in all the folders?
Or, are only a especial folders that need it?

I think, in root and each module root. Correct? or also in root_module/admin/ ?

This php.ini has included, only that:
Quote:
register_globals = off
allow_url_fopen = off
session.use_trans_sid = off


If i put this php.ini in mysite.com/modules/protector/admin/, protector says that all is Ok.
But i know that is not Ok
12
m0nty
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability

  • 2005/11/22 17:48

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


at bezoops:

when using the php.ini file method (i think has to be done in CGI mode anyway as htaccess doesn't work) you have to place the file in every folder for it to be effective.

.htaccess only has to be placed in the parent folder, and it will then set the same for all child folders that are below it :)
13
Tobias
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability

  • 2005/11/26 8:17

  • Tobias

  • Not too shy to talk

  • Posts: 172

  • Since: 2005/9/13


Quote:
when using the php.ini file method (i think has to be done in CGI mode anyway as htaccess doesn't work) you have to place the file in every folder for it to be effective.

Not that I knew anything about these things, but I had always believed that, at least on my webhost, one php.ini in the public html root does for all subdirectories. I even got the impression that once, by trying to allow url_fopen for one specific subdirectory through an individual php.ini, I was causing a little confusion in the system. After all, there's always something from other directories included. Am I mistaken?
www.affvu.org
14
Bananadude
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability

  • 2005/11/26 16:01

  • Bananadude

  • Not too shy to talk

  • Posts: 155

  • Since: 2005/9/16


Think he means that if you have access to php.ini you can change it there and you then don't have to use .htaccess for these parameters or change anything else, if not - you have to ask your server-admin or use .htaccess

allow_url_fopen can only be changed in httpd.conf or in your php.ini
--- censored by Bananadude ---
15
m0nty
Re: Xoops "xoopsConfig[language]" Local File Inclusion Vulnerability

  • 2005/11/26 17:54

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


not quite.. when running php in CGI mode, htaccess files don't work.

but instead you can create a php.ini file and place the relevant commands in there just like editing php.ini, but you have to place it in every folder. in brief, the php.ini file only affects files that are in the same directory and not any directories below it.

htaccess works differently and affects all child directories below it..
« 1 (2)

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

228 user(s) are online (150 user(s) are browsing Support Forums)

Members: 0

Guests: 228

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits