1
GPboarder
Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/11/11 19:18

  • GPboarder

  • Friend of XOOPS

  • Posts: 248

  • Since: 2006/10/6


I have Protector 3.2 installed with XOOPS 2.3.1.
I have the alert that register_globals and allow_url_fopen are not secure. How much of a concern is this and how do I fix it? I have done some reading but can't figure it out.

I also have one site that was installed by the host with the default prefix. How do I fix that issue?

When I use the Check if Protector works well functions, the one for Contaminations tells me that "Protector detects attacking actions". The one for Isolated Comments takes me to my home page. Is this what is supposed to happen?

Optimism is the mother of disappointment.

2
sabaM
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/11/12 0:31

  • sabaM

  • Just popping in

  • Posts: 58

  • Since: 2007/11/4


Do you have access to php.ini file? If you do not have access, than asked the webmaster of the server that you register_globals on to register_globa Off offices also allow_url_fopen On to allow_url_fopen Off

If you have access to php.ini edit php.ini file and with ftp and send it in xoops_trust_path / modules / protector /

regards
saba
Prevod xoops core i modula na bosanski
Posjetite joŇ° i ostale moje webstranice : | http://g-orahovica.com | http://beha-raja.net

3
GPboarder
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/11/12 3:41

  • GPboarder

  • Friend of XOOPS

  • Posts: 248

  • Since: 2006/10/6


Thanks,

Where would the php.ini file be located?

Using cPanel I have access to the server at a level showing me the folders www, public_html, public_ftp etc however I don't see a php.ini file. I assume it is not in the root folder of my site.

Is this something I have to ask the hosting company to do?

Optimism is the mother of disappointment.

4
ghia
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/11/12 4:18

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
Is this something I have to ask the hosting company to do?
Yes, ask them to set register_globals and allow_url_fopen to off.

5
GPboarder
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/11/12 4:29

  • GPboarder

  • Friend of XOOPS

  • Posts: 248

  • Since: 2006/10/6


Thanks, much appreciated.

Any takers on the Isolated Comments or prefix questions?
Optimism is the mother of disappointment.

6
ghia
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/11/12 10:38

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
Any takers on the Isolated Comments
It opens a new window with
Quote:
Protector detects attacking actions
But I'm not sure, if that may be dependent on Protector version or configuration.
Quote:
prefix questions
Did you miss both links on the same page to the prefix manager?

7
GPboarder
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/12/5 20:46

  • GPboarder

  • Friend of XOOPS

  • Posts: 248

  • Since: 2006/10/6


ouch!

No, I didn't, but it was a fair question.

That being said, I think I may have more issues than I thought. I didn't edit mainfile.php to define a XOOPS Trust Path as the readme instructions indicate. Yet the module installed and indicates that it is working.

In the 2.3.2a instructions regarding Protector it just notes the changes regarding mainfile.dist.php and that is the only step I took.

So do I start from scratch with Protector?
Optimism is the mother of disappointment.

8
ghia
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/12/6 2:21

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Humm, Very weird! I see that my previous post is missing some text in one or other way. I did test the two tests, but I have to redo them for knowing the effects.

The trust path is automatic detected by the install procedure (when it is inside the web root, don't know for outside).
Anyway, if you want to make your Protector setup better, then you should plan for a directory setup as shown here, if possible.
Do also an update with the latest Protector. If you need to do changes, stop the protector module first and set to comment the two includes for pre and post processing in mainfile.php .
After that, check out if it functions correctly.

9
GPboarder
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2008/12/8 18:05

  • GPboarder

  • Friend of XOOPS

  • Posts: 248

  • Since: 2006/10/6


Thanks.

I had located xoops_lib and _data outside of the root, so I guess when I installed Protector it detected the required path based on what I set during the core installation.

In answer to my own question, in case anyone reads this, the Isolated Comments link on the Security Advisory page of protector causes an entry into the Protect Center log.
Optimism is the mother of disappointment.

10
GPboarder
Re: Protector 3.2 - Register Globals, url_fopen, Contaminations, Isolated Comments and Prefix
  • 2009/1/13 17:02

  • GPboarder

  • Friend of XOOPS

  • Posts: 248

  • Since: 2006/10/6


I have the latest Protector installed and it seems to be working with the exception that in the Security Advisory it is telling me that Register Globals is "on".

I have asked the hosting company about this and been provided with a link to my phpinfo. That link indicates that the configuration of the PHP Core is set for both Local Value and Master Value of Register_Globals is "off".

Does this suggest a vulnerability here or perhaps that I have erred somehow in installing Protector?
Optimism is the mother of disappointment.

Login

Who's Online

55 user(s) are online (31 user(s) are browsing Support Forums)


Members: 0


Guests: 55


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits