1
sensei88
Protector Module Security Problems
  • 2005/4/14 6:07

  • sensei88

  • Just popping in

  • Posts: 4

  • Since: 2005/4/8 8


I recently changed servers and normally I implement the changes proposed by the protector module in the .htaccess file. My new server though edits the .htaccess to comment out my changes saying:

# For security reasons, mod_php is not used on this server. Use a php.ini file for php directives
# php_flag register_globals off

So I went to my php.ini and changed to

register_globals = Off
register_argc_argv = Off

I was unable to find anything related to 'allow_url_fopen'.

Now the thing that bothers me is that when I go to my protector module and run the security advisory, it says:

'register_globals' : on Not secure
This setting invites a variety of injecting attacks.
If you can put .htaccess, edit or create...

/home/xxx/public_html/.htaccess

php_flag register_globals off

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.


I know that register_globals is off from running a phpinfo(), so why does it say that its on. Also where can I change allow_url_fopen to off in php.ini?

2
sensei88
Re: Protector Module Security Problems
  • 2005/4/19 1:03

  • sensei88

  • Just popping in

  • Posts: 4

  • Since: 2005/4/8 8


....

3
jdseymour
Re: Protector Module Security Problems

It would be a good idea to post this at the Developer's Forum. He could answer this, but he does not come to this site very often.

4
xianxoop
Re: Protector Module Security Problems
  • 2005/4/19 6:19

  • xianxoop

  • Just popping in

  • Posts: 9

  • Since: 2005/2/9 0


place this in your php.ini

register_globals = Off
allow_url_fopen = Off

-----------

Some companies are running cgi instead of php

According to them you need to put this php.ini in the following directories: public_html, in the any modules that you are running . i.e /public_html/modules/protector, /public_html/modules/protector/admin, /public_html/modules/downloads/admin and so on and so on

So if your hosting company is running cgi instead of php (for any reason), you are screwed. “ Unless some one corrects this insanity.”

So please tell me these are nonsense and there is better way to do this.

5
m0nty
Re: Protector Module Security Problems
  • 2005/4/23 6:19

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


i can confirm that the php.ini method works when php is in CGI mode and .htaccess isn't possible..

have just done it on a 1 & 1 server as they use CGI unfortunately..

it was nice also to be able to set other things.. hehehe

register_globals = Off
allow_url_fopen = Off
memory_limit = 40M
post_max_size = 32M <was 8M>
upload_max_filesize = 20M <was 2M>

Login

Who's Online

242 user(s) are online (156 user(s) are browsing Support Forums)


Members: 0


Guests: 242


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits