Joomla! Discussion Forums

Hi,
I don't know, whether you know this, but you can additional secure your Joomla with a php.ini in each directory or you main php.ini if you've an own server:

------------snip------------------
allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
------------snap------------------

Thanks for your attention

Can the development confirm this for us?
Will this have any problems that we can foresee?
Why doesn't development include this in the Joomla distribution itself?

You have to have PHP configured to look for these extra php.ini files which most hosts probably don't do.  It is not included in the default install because it is not a common solution.  Most PHP developers recognize the potential for misuse of register globals and choose not to use them, it is better to have them turned off completely for the whole server and that is what we recommend.

But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?

PHP will not automatically read the vaules from any file called php.ini.  PHP has to be configured in the core php.ini file to scan other directories for more ini files.  By default, it only scans the extensions directory for other ini files.  Some hosts allow the users to override the configuration of the core php.ini via this method but as far as I am aware it is not a very common practice.

I can overide the php.ini file.

Is this a solution that i can use for a more secure Joomla?

If your host has register globals on I would suggest disabling it if you can by a php.ini override.  I don't know other than that, I don't mess with the settings of PHP very often to be familiar with more secure/less secure options (aside from register globals, obviously).

Yes, this will secure your joomla!
But check out, whether all function of 3rd party addons or components will work after this.
You have to insert the php.ini file in each directory, it does not work recursive!
And you didn't need to use the parameter "phpinfo", only if you don't want to show the user your php-configurations.
I've used it and I see, that joomla works still fine after I inserted the php.ini.
Try it!

if you're able to override the global php.ini, please add "php_value register_globals off", too

php.ini:
-------------snip-------------
allow_url_fopen = OFF
php_value register_globals off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------

Do i need to include php.ini also on images folder??? 

No, because there are no php-files

I have joomla sites hosted at site5, which runs PHP in cgi mode, supposedly for security.
The default php.ini for the server runs with register_globas=off

To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!

A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script

http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete


I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.

So the custom settings would be:

; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0

And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script.  (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)

emagin,
thank you very much for links to those scripts. they were very helpful!

If I use shared hosting how do I get to my servers php.ini file?

create a new php file with teh contents:



its results will give you the location.

The second link listed explains how to copy your ini file.

Also, don't forget to run your copy php.ini  script after each component install in Joomla.
There are several components which write data in directories. If there is an exploit of that component (like a forum component, etc.) and you don't run the copy php.ini script to refill those new directories, you could be exposed.

Hey emagin, thanks for the script. I am a little confused on how I run the copy script though?? I uploaded both the copy and default script from the links you gave me. And I named them, php.ini and multiply-php.ini. I typed the latter in my browsers address bar, but it just gave me an option to save the file.

Is there some kind of program I need to install or use? Could I PM you my scripts so you could have a look at them?

Thanks, Brandon.

Hello all

i would like your following ini code "translated" into the .htaccess file.
Do you know the equivalence ?

I can't agree with magic_gpc_quotes = 0 being more secure than magic_gpc_quotes = 1...

For added security you really should have magic_gpc_quotes = 1

This avoids most sql injection attacks for poor code (or stupidly fergotten escapings) and all joomla and most extensions know how to handle it correctly.

Guys
Do you have to mod the copy script? I changed the get php script and it works like a charm but my
copy script says Error - no source php.ini file even with the new php.ini in my joomla directory.
Thanks
W

ok, I've got the location of php.ini on my server, but how do I read the contents to add it to my new php.ini file, or am I just reading this wrong?

I asked my hosting server to turn register globals to off and they gave me this answer:

Is this true? Does it affect all subdirectories under the public_html directory?

Yes (if their configuration allows it, obviously, it does) and yes it will affect all subdirectories of public_html if placed in the public_html folder. Hint: append it to Joomla's .htaccess file if you are using it, otherwise, create your own.

Cool!  This certainly beats using the scripts in this forum to copy a personalized php.ini file in every single directory in my web site.

There are ways to set that up properly so you don't have to copy the php.ini to every directory but your hosting company has to have a certain setup.  Unfortunately, most are not wise enough to do this.  That is why I always suggest people talk to their hosting company before they try one of these overrides as your hosting company might have an easier way to do it but you would never know if you didn't ask them.

Works perfectly! Thanks for your help Rob.

This is by far the prefered method (after the one of having the hoster turning it off for you in his site settings), as php.ini which are in all folders are valid at time of installing them.

But imagine in one month from now, you install a new third-party component (with a "register-globals"-dependant vulnerability), and forget about it: that component will not be protected without that php.ini file, and Joomla! will not be able to prevent you, as it can't scan all directories for that !

So if at all possible, avoid that method of php.ini files in your own folders, except as immediate temporary fix.
Prefer:
1) your hoster changing it in his own settings back to this default php value.OFF
2) the .htaccess file method if your hoster allows it
3) consider changing hoster if you can't talk with them about these basic php security settings "1)" or "2)".

Actually, that isn't the only decent way.  If your host knows what they are doing they can setup Apache/PHP to look for a php file per virtualhost in a specific place.  I use this configuration on my own servers and it works very well because it is easier to manage a php.ini file than an .htaccess file in my opinion.  The configuration is actually pretty simple but not many hosters implement for some silly reason or another that I would really like to know... anyway, yeah... ask about that option too.

Yeah, i implied that above (as it's hoster's task), but as we also have hosters in this forum this clarifies it...

Ok trying to get a full list of prefered options first being best one:

1) hoster sets global default server settings right in php.ini file (usually in /etc/php.ini)

2) hoster sets default server settings correctly for your site (usually a virtualhost on a shared host) at the right place: it can be in php.ini file or in httpd.conf or any file included by httpd.conf, including site-specific http.include files, or in the settings of the host managment software generating those files for him (warning: manual editing of automatically generated files will kill your edits each time they are regenerated e.g. when a domain or subdomain is created/modified, resetting the settings).

3) hoster has set or sets you the rights to add the php configuration statments in your .htaccess file at the root of the http-accessible area of your server (e.g. httpdocs/ or public_html/). This setting is then valid for all folders and subfolders. Note: get in any case the new great security settings of 1.0.11 httpaccess.txt file (thanks Rob for this great contribution) in your .htaccess file .

4) if 1), 2) or 3) are not feasable at your hoster, and you have non-secure settings, talk with your hoster. These are basic security settings of PHP, which are set correctly by default in PHP since more than 2 years. Ask him why he changed them and is making his server less secure.

5) if 4) fails, consider 6) below as temporary safety measure if hoster's configuration take it in account, and plan for a hosting migration.

6) if hoster's configuration take it in account, add php.ini to each public folder (and later to any new created folder) containing php files. Plan for basic php-security knowledgeable hoster.

7) In all cases, rename htaccess.txt into .htaccess if you don't have one, otherwise take the security checks at the end of it and copy them at the end of yours. This is an additional line of defense from known attacks to weak 3pd extensions, most of which register_gloabl would catch. Check it's efficiency by typing "www.yoursite.com/blabla?mosConfig=blabla" : your site should not display same as without the text "www.yoursite.com/blabla?blablabla=blabla"... and plan for a fast hosting migration if 1)-6) could not be implemented

If your hoster even disallowed 7) , and doesn't want to discuss, consider changing immediately hoster for one which has or agrees to parameter PHP safely for you: means minimum: register_globals=OFF and magic_quotes_gpc=ON. Hosters which don't understand these php security settings, well... I think by now you should understand that choosing a serious hoster is important. 



Reference from PHP manual on a few less common additional possibilities:
http://ch2.php.net/manual/en/configuration.php (includes a link of directives and default settings.

Register globals off by default since php 4.2.0 (that's long time ago), and why:
http://ch2.php.net/register_globals

More reading on magic_quotes:
http://ch2.php.net/manual/en/security.magicquotes.php

Please post corrections, amendments, etc, as replies, and i will try to edit accordingly.