1
The security advisory in Protector Module gives me the following warning:
'allow_url_fopen' :
on Not secure This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.
So I sent an email to my host. The reply is as below.
Quote:
Hello,
allow_url_fopen : This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.
option is on because it is required by too many clients for normal use so we can not get it off.
Please check that we are monitoring the servers at all time ie 24X7 and we have logs generating which helps catching abusers within no time so not to worry about the server's security, we are here for it.
Please check the same and get back to us if you have any further concern.
Regards,
Jason
XXXX Support Team.
This is all over my head, so my question is this. Should I be concerned about the security of my site, or should I trust the explanation/reasons given by my host?
