Re: Protector [Module troubleshooting] - XOOPS Web Application System

11

Re: Protector

2007/4/3 19:58
carpeweb
Just popping in
Posts: 38
Since: 2002/9/12

Thanks, Dave.

It's on.

Quote:

"resource(3) of type (stream)"

Before I contact my host provider about this, does (3) mean something different from the (5) in your example?

In any case, my host provider is saying it is disabled, which clearly is not the case.

Great, easy test. Thanks!

Jim

12

Re: Protector

2007/4/3 21:18
vaughan
Friend of XOOPS
Posts: 680
Since: 2005/11/26

Quote:

carpeweb wrote:
I'm also having some problems with allow_url_openf.

My XOOPS Info has a red dot next to this parameter, but my host said that this option is disabled system-wide. I checked a file called .htaccess in my root (public_html) folder, and it has the following line:

php_flag allow_url_fopen off

So, it seems to me that my host is doing the right thing here, but somehow XOOPS Info is maybe looking in httpd.conf or some other file for the same setting. I don't have access to httpd.conf; at least I don't see it in my file manager from my hosting provider.

Does anyone know how I can confirm whether I'm protected against allow_url_fopen?

Thanks!

use php_admin_flag allow_url_fopen off instead of php_flag allow_url_fopen off

13

Re: Protector

2007/4/3 21:45
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

Quote:

Quote:
"resource(3) of type (stream)"

Before I contact my host provider about this, does (3) mean something different from the (5) in your example?

[/quote]

I don't know what the "3" or "5" mean, but it doesn't matter for this purpose. The fact that the fopen() call returned a non-false result means that allow_url_fopen is on.

14

Re: Protector

2007/4/4 13:20
carpeweb
Just popping in
Posts: 38
Since: 2002/9/12

Quote:

use php_admin_flag allow_url_fopen off instead of php_flag allow_url_fopen off

Vaughan, when I tried this, my admin menu would not load and the page looked like this:
Quote:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@hoahuntersrun.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Apache/1.3.37 Server at hoahuntersrun.com Port 80

Do I need my host to restart the server or something like that? When I change .htaccess back, everything looks fine, without restarting or anything.

Thanks,
Jim

15

Re: Protector

2007/4/4 14:26
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

You can't use php_admin_flag in an .htaccess file.

The parameter allow_url_fopen can only be changed in the main (server-wide) Apache config file, or in the PHP .ini file.

16

Re: Protector

2007/4/4 14:46
vaughan
Friend of XOOPS
Posts: 680
Since: 2005/11/26

@dave,

you can use php_flags in .htaccess when PHP is running as an apache module instead of in CGI mode.

but from the error given above it does look like PHP is running in CGI mode, in which case you need to create a php.ini file and place it in every folder that has an executable script.

by that i mean you have to place a php.ini file in XOOPS root folder, then in each modules root folder and also each modules admin folder. php.ini files do not affect folders below them like htaccess does.

in your php.ini file you need to add:

register_globals = 0
allow_url_fopen = 0
session.use_only_cookies = 1

session.use_only_cookies is optional but may give you a tiny bit more protection aswell..

17

Re: Protector

2007/4/4 16:24
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

Quote:

vaughan wrote:
@dave,

you can use php_flags in .htaccess when PHP is running as an apache module instead of in CGI mode.

But some flags, such as allow_url_fopen, cannot be set in an .htaccess file.

References:
http://us3.php.net/manual/en/ini.php#ini.list
http://us3.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen
(Note the "Changeable" column.)

18

Re: Protector

2007/4/4 16:29
carpeweb
Just popping in
Posts: 38
Since: 2002/9/12

Well, I put the php.ini file in all the folders you mentioned, and it's still on, according to the test script from dave as well as the red dot in XOOPS Info.

Does the php.ini file take care of the matter somehow behind the scenes?

Thanks,
Jim

19

Re: Protector

2007/4/4 17:30
vaughan
Friend of XOOPS
Posts: 680
Since: 2005/11/26

Quote:

Dave_L wrote:

But some flags, such as allow_url_fopen, cannot be set in an .htaccess file.

i stand corrected :) it has been changed as you used to be able to, but that was prior to 4.3.4 by the looks of that table.

back to Carpeweb,

it should work in php.ini, but it looks like your host has configured PHP to not allow overrides of that setting (for some strange reason), I can't think of anything else you can do apart from plead with your host on the grounds of you're paying for a hosting service and you want to disable that function because of it being a security issue which can open your site up to exploitation which in turn can bring everyone elses site down that is hosted on that server (potentially). they should at least be able to allow it to be overriden on a per user basis by using a php.ini file like all other GOOD hosts allow.

20

Re: Protector

2007/4/4 18:34
carpeweb
Just popping in
Posts: 38
Since: 2002/9/12

My host says they have "mod security installed to prevent these types of exploits".

Somehow, that doesn't make me feel great, but otherwise my host (OpenSourceHost.com) has been great. So, does "mod security" give me similar protection?

Thanks,
Jim

Stats
Goal:	$100.00
Due Date:	Apr 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: Protector

Re: Protector

Re: Protector

Re: Protector

Re: Protector

Re: Protector

Re: Protector

Re: Protector

Re: Protector

Re: Protector

Login

Search

Recent Posts

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}