I did a search for this string below in the location above.

php_admin_flag allow_url_fopen off

I did not find it or even parts of it.

So I added it to the file. Saved it back to the server.

I am not sure if this mattered below but I did this anyway.

I cleared templates_c then reloaded my website. Clicked on protector and I still had this error.

Do I need to restart http? For this code to take effect...

If I dont need to restart http... Where is the php.ini file?

I also should have added that after I added the code. I checked back inside protector and the error is still there.

So I changed the .conf file back

I just want someone to clarify before I restart http.

Also could you clarify that the code below is correct to add to my httpd.conf?

php_admin_flag allow_url_fopen off

Is there a certain place it should be added to the file?

I've searched and read all thru all the posts. I also turned allow_url_fopen off in the php.ini still nothing.

Do I need to restart http after one of these mods? For the changes to take effect.

Im also worried im going to knock out my sons sites which are mostly EVO php puke. lol

Did I mention I dropped a php.ini in every folder like monty had suggested in this thread.

https://xoops.org/modules/newbb/viewtopic.php?topic_id=58069&viewmode=flat&order=ASC&start=20and

adding it to...

xoops root (where mainfile.php is located)

then in modules/your module/ (where the modules xoops_version.php) is located

also in modules/your module/admin/

Many hours messing with protector and no joy...

This is what it still says below in protector 3.04 after countless wasted hours...

-------------

'register_globals' : off ok

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.

'session.use_trans_sid' : off ok

'XOOPS_DB_PREFIX' : XOOPS Not secure
This setting invites 'SQL Injections'.
Don't forget turning 'Force sanitizing *' on in this module's preferences.
Go to prefix manager

'mainfile.php' : patched ok

Try

allow_url_fopen = 0

in php.ini

In the php.ini it says...

allow_url_fopen = On

So im confuse... if it says "On" I should use "Off" right?


I will try this... = 0


But the real question is do I need to reboot that server for the changes to take effect?

Quote:

The settings you need to change are for php.

My understaning is quite limited on 'how' php runs, but I think basically PHP can be installed as a CGI binary, or installed as an Apache module.

It depends on how you have php setup.

Surely rebooting will tell you whether a reboot was needed.

If PHP is running as an Apache module, and you make changes to the main Apache configuration file httpd.conf or to php.ini, then you'll have to restart the Apache service.

Restarting the Apache service only takes a few seconds and will probably not be noticed by any users.

You can tell whether PHP is running as an Apache module using phpinfo() (the "Show PHP information" link on phpmyadmin's top page). Near the top of the output you should see something like this:

Quote:

I'll do it.

Thank you Will! I spent alot of wasted time trying to get this right.

Anyway Will solved this in 2 minutes...

Here is the correct way to do it...

Open up

/usr/local/apache/conf/httpd.conf

Then scroll all the way down to your domain it will look like this below. You might be set up with lots of these like we are. Just make sure you edit the domain that you want to install protector on only.

-------------------


ServerAlias yourdomain.org
ServerAdmin webmaster@yourdomain.org
DocumentRoot /home/yourdomain/public_html
BytesLog domlogs/yourdomain.org-bytes_log
ServerName http://www.yourdomain.org
php_admin_flag allow_url_fopen off

User yourdomain
Group yourdomain
CustomLog /usr/local/apache/domlogs/yourdomain.org combined
ScriptAlias /cgi-bin/ /home/yourdomain/public_html/cgi-bin/


--------------------

See where this code below is put in httpd.conf?
php_admin_flag allow_url_fopen off

Thats it save it back to the server and restart http.

By the way you should make a back up of your file before you do anything to it.

I would like to thank all the people who helped on this. Now maybe someone will be able to figure it out. With out all the wasted time.