Re: PHP flags and site security ???? [Beginner's Corner]

11

Re: PHP flags and site security ????

2005/3/14 17:07
iHackCode
Module Developer
Posts: 1038
Since: 2004/6/29

i just put


php_flag register_globals off

my .htaccess file in XOOPS root looks like this


php_flag   register_globals   off

<Files admin.php>

order deny,allow

deny from all

allow from 216.239

</Files>

<Files "mainfile.php">

Deny from all

</Files>

Options All -Indexes

*216.239 is not part of my ip address i edited it so no one would know what i actually put in there.

<Files admin.php- is on page 8 of the guide

12

Re: PHP flags and site security ????

2005/3/14 17:30
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings Bandit-X - Thank you for your response.

I tried it like you mentioned it and I still get the 500 error and the web site becomes inaccessible. Here is the actual text of the message showing on the web page.

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, [me] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

I am somewhat at a loss here. This should work. It is got to be something that I do not know that is getting me.

Regards,

13

Re: PHP flags and site security ????

2005/3/14 18:08
iHackCode
Module Developer
Posts: 1038
Since: 2004/6/29

What Does The Error Log Say. ?

-Found This Online

"However, if your host has used php_admin_flag or php_admin_value in one of the httpd configuration files then you can not override this via .htaccess/ini_set etc."

14

Re: PHP flags and site security ????

2005/3/14 18:41
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

Don't use the the "Directory" directive in an .htaccess file. I'm pretty sure that's not allowed.

15

Re: PHP flags and site security ????

2005/3/14 18:58
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings Bandit-X and Dave_L -

Thank you for your replies. I will attempt the other method which was to set the flags programmatically from mainfile.php.

Regards,

16

Re: PHP flags and site security ????

2005/3/14 19:27
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

According to the PHP manual, register_globals cannot be set using ini_set(), but only within php.ini, httpd.conf or .htaccess.

17

Re: PHP flags and site security ????

2005/3/14 19:48
artigas
Quite a regular
Posts: 208
Since: 2004/12/21

Greetings Dave_L - Your are correct.

register_globals boolean
Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables.

As of PHP 4.2.0, this directive defaults to off.

Please read the security chapter on Using register_globals for related information.

Please note that register_globals cannot be set at runtime (ini_set()). Although, you can use .htaccess if your host allows it as described above. An example .htaccess entry: php_flag register_globals off.

Note: register_globals is affected by the variables_order directive.

Thank You for your response.
Regards,
Roberto Artigas

18

Re: PHP flags and site security ????

2005/3/14 20:56
tjnemez
Home away from home
Posts: 1594
Since: 2003/9/21

anyone know how to set 'allow_url_fopen' to off? i get the following message in my security advisory:

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.

19

Re: PHP flags and site security ????

2005/3/14 21:03
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

allow_url_fopen can only be set in php.ini or httpd.conf. If you don't have access to those files, you can't change that setting.

20

Re: PHP flags and site security ????

2005/3/14 21:07
tjnemez
Home away from home
Posts: 1594
Since: 2003/9/21

thanks dave, thats what i thought. i have contacted my hosting co.

Stats
Goal:	$100.00
Due Date:	May 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Re: PHP flags and site security ????

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}