11
carpeweb
Re: Protector
  • 2007/4/3 19:58

  • carpeweb

  • Just popping in

  • Posts: 38

  • Since: 2002/9/12


Thanks, Dave.

It's on.

Quote:
"resource(3) of type (stream)"


Before I contact my host provider about this, does (3) mean something different from the (5) in your example?

In any case, my host provider is saying it is disabled, which clearly is not the case.

Great, easy test. Thanks!

Jim

12
vaughan
Re: Protector
  • 2007/4/3 21:18

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

carpeweb wrote:
I'm also having some problems with allow_url_openf.

My XOOPS Info has a red dot next to this parameter, but my host said that this option is disabled system-wide. I checked a file called .htaccess in my root (public_html) folder, and it has the following line:

php_flag allow_url_fopen off

So, it seems to me that my host is doing the right thing here, but somehow XOOPS Info is maybe looking in httpd.conf or some other file for the same setting. I don't have access to httpd.conf; at least I don't see it in my file manager from my hosting provider.

Does anyone know how I can confirm whether I'm protected against allow_url_fopen?

Thanks!


use php_admin_flag allow_url_fopen off instead of php_flag allow_url_fopen off

13
Dave_L
Re: Protector
  • 2007/4/3 21:45

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:
Quote:
"resource(3) of type (stream)"


Before I contact my host provider about this, does (3) mean something different from the (5) in your example?
[/quote]

I don't know what the "3" or "5" mean, but it doesn't matter for this purpose. The fact that the fopen() call returned a non-false result means that allow_url_fopen is on.

14
carpeweb
Re: Protector
  • 2007/4/4 13:20

  • carpeweb

  • Just popping in

  • Posts: 38

  • Since: 2002/9/12


Quote:
use php_admin_flag allow_url_fopen off instead of php_flag allow_url_fopen off


Vaughan, when I tried this, my admin menu would not load and the page looked like this:
Quote:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@hoahuntersrun.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Apache/1.3.37 Server at hoahuntersrun.com Port 80

Do I need my host to restart the server or something like that? When I change .htaccess back, everything looks fine, without restarting or anything.

Thanks,
Jim

15
Dave_L
Re: Protector
  • 2007/4/4 14:26

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


You can't use php_admin_flag in an .htaccess file.

The parameter allow_url_fopen can only be changed in the main (server-wide) Apache config file, or in the PHP .ini file.

16
vaughan
Re: Protector
  • 2007/4/4 14:46

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


@dave,

you can use php_flags in .htaccess when PHP is running as an apache module instead of in CGI mode.

but from the error given above it does look like PHP is running in CGI mode, in which case you need to create a php.ini file and place it in every folder that has an executable script.

by that i mean you have to place a php.ini file in XOOPS root folder, then in each modules root folder and also each modules admin folder. php.ini files do not affect folders below them like htaccess does.

in your php.ini file you need to add:

register_globals = 0
allow_url_fopen = 0
session.use_only_cookies = 1


session.use_only_cookies is optional but may give you a tiny bit more protection aswell..

17
Dave_L
Re: Protector
  • 2007/4/4 16:24

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:

vaughan wrote:
@dave,

you can use php_flags in .htaccess when PHP is running as an apache module instead of in CGI mode.


But some flags, such as allow_url_fopen, cannot be set in an .htaccess file.

References:
http://us3.php.net/manual/en/ini.php#ini.list
http://us3.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen
(Note the "Changeable" column.)

18
carpeweb
Re: Protector
  • 2007/4/4 16:29

  • carpeweb

  • Just popping in

  • Posts: 38

  • Since: 2002/9/12


Well, I put the php.ini file in all the folders you mentioned, and it's still on, according to the test script from dave as well as the red dot in XOOPS Info.

Does the php.ini file take care of the matter somehow behind the scenes?

Thanks,
Jim

19
vaughan
Re: Protector
  • 2007/4/4 17:30

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

Dave_L wrote:

But some flags, such as allow_url_fopen, cannot be set in an .htaccess file.


i stand corrected :) it has been changed as you used to be able to, but that was prior to 4.3.4 by the looks of that table.

back to Carpeweb,

it should work in php.ini, but it looks like your host has configured PHP to not allow overrides of that setting (for some strange reason), I can't think of anything else you can do apart from plead with your host on the grounds of you're paying for a hosting service and you want to disable that function because of it being a security issue which can open your site up to exploitation which in turn can bring everyone elses site down that is hosted on that server (potentially). they should at least be able to allow it to be overriden on a per user basis by using a php.ini file like all other GOOD hosts allow.

20
carpeweb
Re: Protector
  • 2007/4/4 18:34

  • carpeweb

  • Just popping in

  • Posts: 38

  • Since: 2002/9/12


My host says they have "mod security installed to prevent these types of exploits".

Somehow, that doesn't make me feel great, but otherwise my host (OpenSourceHost.com) has been great. So, does "mod security" give me similar protection?

Thanks,
Jim

Login

Who's Online

327 user(s) are online (242 user(s) are browsing Support Forums)


Members: 0


Guests: 327


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits