xoops forums

Johnny5Step

Just popping in
Posted on: 2008/11/30 22:35
Johnny5Step
Johnny5Step (Show more)
Just popping in
Posts: 10
Since: 2008/11/22
#1

Following Security Advisor instructions in Protector 3.20

XOOPS Version: XOOPS 2.3.2
Module Name/Version: Protector 3.2
PHP Version: 5.2.6
MySQL Version: 5.0.67-community
Web Server Software: Apache 2.2.9 (Unix)
Operating System: Linux
Theme you are using: default
Custom template: Not at this point
A full description of the issue:
This was a clean install of XOOPS 2.3.1 and upgrade to XOOPS 2.3.2. I followed the install instructions exactly, all the installs went fine and the portal and admin all seems to be working fine.

I have been able to satisfy the Protector 3.20 Security Advisory on 4 of it's 5 warnings. I don't know how severe this security gap is. Though Protector has already logged a couple of attempts of "Guest - CONTAMI - Attempt to inject 'xoopsConfig' was found." and the site's not even really in use yet.

The one I can't figure out is this one:
Quote:

'allow_url_fopen' : on Not secure
This setting allows attackers to execute arbitrary scripts on remote servers.
Only administrator can change this option.
If you are an admin, edit php.ini or httpd.conf.
Sample of httpd.conf:
php_admin_flag allow_url_fopen off
Else, claim it to your administrators.


I did a service ticket to our web host and they said I could add php.ini overwriting files to each folder that would be affected and gave me a txt file of a sample php.ini to edit and instructions on installing it.

I have our XOOPS portal in a sub-directory, not the root directory. And have other php programs working on our domain.

I don't know if I've edited the overwriting php.ini file correctly and want to determine if I need to put it in all the directories of the XOOPS install, including the ones that are above the public-html level?

I am new to Xoops, though I've worked with other php portal type programs.

Thanks for any assistance or advice,

ghia

Community Support Member
Posted on: 2008/12/1 10:15
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#2

Re: Following Security Advisor instructions in Protector 3.20

Can you copy these instructions in your post?

If you have other php scripts, then these scripts may also be vulnerable to these kind of exploits. Some may also be dependent on the allowance and may no longer function.

I believe the php.ini replacement has to be copied in every entry page directory. For XOOPS this would mean every directory with php files (other than class or include, because these can normally not be called directly), such as the root, modules, admin and blocks.

You must also understand that Protector and all its security settings and advices gives you not a 100% bullet free solution. It reduces only the risk.
So, if this setting is on and not off, you live a little more dangerously (don't ask me for numbers), but it is not likely that your site will die tomorrow.

Johnny5Step

Just popping in
Posted on: 2008/12/1 19:33
Johnny5Step
Johnny5Step (Show more)
Just popping in
Posts: 10
Since: 2008/11/22
#3

Re: Following Security Advisor instructions in Protector 3.20

I will copy the instruction here below that I was given:

I have two main questions left at this point. When it says every directory I wish to affect, does that include the ones that were put above (and renamed) the public_html? (I guess that's the Root?) Is the fact that XOOPS is in an oddly named directory inside public_html going to make a difference, or keep me from applying this?

Here is the file I was given to edit:
Quote:
<?php
// Put all the php.ini parameters you want to change below. One per line.
// Follow the example format $parm[] = "parameter = value";
$parm[] = "register_globals = Off";
$parm[] = "session.use_trans_sid = 0";
// full unix path - location of the default php.ini file at your host
// you can determine the location of the default file using phpinfo()
$defaultPath = '/usr/local/lib/php.ini';
// full unix path - location where you want your custom php.ini file
$customPath = "/home/user/public_html/php.ini";
// nothing should change below this line.
if (file_exists($defaultPath)) {
$contents = file_get_contents($defaultPath);
$contents .= "\n\n; USER MODIFIED PARAMETERS FOLLOW\n\n";
foreach ($parm as $value) $contents .= $value . " \n";
if (file_put_contents($customPath,$contents)) {
if (chmod($customPath,0600)) $message = "The php.ini file has been modified and copied";
else $message = "Processing error - php.ini chmod failed";
} else {
$message = "Processing error - php.ini write failed";
}
} else {
$message = "Processing error - php.ini file not found";
}
echo $message;
?>


I couldn't find a:
php_admin_flag allow_url_fopen off
line together so I changed:
$parm[] = "register_globals = Off";
$parm[] = "session.use_trans_sid = 0";
to
$parm[] = "php_admin_flag = Off";
$parm[] = "register_globals = Off";

The session.use_trans_sid having already been taken care of in another way per Protector's instructions and has a green check by it anyway.

I have no idea if that's the correct syntax, but I do want to get it correct before copying it in the hundreds of directories of the XOOPS install,

The only other change I made was on the:
$customPath = "/home/user/public_html/php.ini";
line, I changed "user" to our user name and added the exact name of the director XOOPS is in between public_html and php.ini:
$customPath = "/home/MyUserName/public_html/XoopsDirName/php.ini";

I also wonder if the:
if (chmod($customPath,0600))
means I need to chmod the permissions on all the php.ini files that I install in the XOOPS directory and subdirectories to be 600 (if they don't automatically go to that)?

Here are the instructions I followed:
(I'm leaving out the other parts about deleting a php.ini file and changing it later to add other stuff)

Quote:
INSTALLING A CUSTOM PHP.INI DIRECTIVE

1. Log in to cPanel
2. Click on Legacy File Manager, and have it open to your web root.
3. Click "Create a New File".
4. In the right hand frame, in the field, allow it to default to text document, and put "php.ini" in the field.
5. Find php.ini in the list of files in the left hand window pane.
6. Click on the word php.ini
7. In the right hand frame, click "Edit File with Code Editor"
8. Allow coding to default to iso-8859-1
9. It will launch a new tab or window that is numbered down the side. This is where you will place the values that you need to change.
10. Copy the attached php.ini into it, and edit what you need from there.
11. When you are done, click "Save Changes" at the top, and go back to file Manager.


If I am understanding this correctly, this file accesses the main php.ini on the server and modifies only the lines that it contains, and only for the directories and subdirectories that have a copy of it in them?

If I put a copy of this into "Root" or "public_html" this would affect the Invision Power Board, the Drupal, the Polls, the Calendars, and other php stuff that are all in there own directories already, in some cases subdirectories?

Or maybe not if it was in the "public_html" and then only in the XOOPS main directory and subdirectories?

Hopefully this is what you wanted me to post.
Thanks,