secure it with php.ini

by **Pumuckl** on Tue Jul 11, 2006 12:41 pm

Hi,
I don't know, whether you know this, but you can additional secure your Joomla with a php.ini in each directory or you main php.ini if you've an own server:

------------snip------------------
allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
------------snap------------------

Thanks for your attention

by **Vish** on Tue Jul 11, 2006 7:25 pm

Can the development confirm this for us?
Will this have any problems that we can foresee?
Why doesn't development include this in the Joomla distribution itself?

by **RobS** on Wed Jul 12, 2006 1:54 am

You have to have PHP configured to look for these extra php.ini files which most hosts probably don't do. It is not included in the default install because it is not a common solution. Most PHP developers recognize the potential for misuse of register globals and choose not to use them, it is better to have them turned off completely for the whole server and that is what we recommend.

by **Pumuckl** on Wed Jul 12, 2006 5:42 am

But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?

by **RobS** on Wed Jul 12, 2006 5:54 am

Pumuckl wrote:But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?

PHP will not automatically read the vaules from any file called php.ini. PHP has to be configured in the core php.ini file to scan other directories for more ini files. By default, it only scans the extensions directory for other ini files. Some hosts allow the users to override the configuration of the core php.ini via this method but as far as I am aware it is not a very common practice.

by **albi** on Wed Jul 12, 2006 5:57 am

RobS wrote:
Pumuckl wrote:But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?

PHP will not automatically read the vaules from any file called php.ini. PHP has to be configured in the core php.ini file to scan other directories for more ini files. By default, it only scans the extensions directory for other ini files. Some hosts allow the users to override the configuration of the core php.ini via this method but as far as I am aware it is not a very common practice.

I can overide the php.ini file.

Is this a solution that i can use for a more secure Joomla?

by **RobS** on Wed Jul 12, 2006 6:12 am

If your host has register globals on I would suggest disabling it if you can by a php.ini override. I don't know other than that, I don't mess with the settings of PHP very often to be familiar with more secure/less secure options (aside from register globals, obviously).

by **Pumuckl** on Wed Jul 12, 2006 6:19 am

I can overide the php.ini file.

Is this a solution that i can use for a more secure Joomla?

Yes, this will secure your joomla!
But check out, whether all function of 3rd party addons or components will work after this.
You have to insert the php.ini file in each directory, it does not work recursive!
And you didn't need to use the parameter "phpinfo", only if you don't want to show the user your php-configurations.
I've used it and I see, that joomla works still fine after I inserted the php.ini.
Try it!

if you're able to override the global php.ini, please add "php_value register_globals off", too

php.ini:
-------------snip-------------
allow_url_fopen = OFF
php_value register_globals off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------

by **albi** on Thu Jul 13, 2006 7:22 am

Do i need to include php.ini also on images folder???

by **Pumuckl** on Thu Jul 13, 2006 7:32 am

albi wrote:Do i need to include php.ini also on images folder???

No, because there are no php-files

by **emagin** on Thu Jul 13, 2006 5:39 pm

I have joomla sites hosted at site5, which runs PHP in cgi mode, supposedly for security.
The default php.ini for the server runs with register_globas=off

To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!

A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script

http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete

I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.

So the custom settings would be:

; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0

And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script. (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)

by **nathandiehl** on Tue Jul 25, 2006 1:14 pm

emagin,
thank you very much for links to those scripts. they were very helpful!

by **krbmedia** on Tue Jul 25, 2006 2:00 pm

emagin wrote:I have joomla sites hosted at site5, which runs PHP in cgi mode, supposedly for security.
The default php.ini for the server runs with register_globas=off

To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!

A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script

http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete

I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.

So the custom settings would be:

; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0

And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script. (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)

If I use shared hosting how do I get to my servers php.ini file?

by **nathandiehl** on Tue Jul 25, 2006 5:20 pm

create a new php file with teh contents:

its results will give you the location.

by **emagin** on Tue Jul 25, 2006 6:47 pm

The second link listed explains how to copy your ini file.

by **emagin** on Mon Jul 31, 2006 4:18 pm

Also, don't forget to run your copy php.ini script after each component install in Joomla.
There are several components which write data in directories. If there is an exploit of that component (like a forum component, etc.) and you don't run the copy php.ini script to refill those new directories, you could be exposed.

by **Brandito** on Sat Aug 05, 2006 7:13 pm

emagin wrote:Also, don't forget to run your copy php.ini script after each component install in Joomla.
There are several components which write data in directories. If there is an exploit of that component (like a forum component, etc.) and you don't run the copy php.ini script to refill those new directories, you could be exposed.

Hey emagin, thanks for the script. I am a little confused on how I run the copy script though?? I uploaded both the copy and default script from the links you gave me. And I named them, php.ini and multiply-php.ini. I typed the latter in my browsers address bar, but it just gave me an option to save the file.

Is there some kind of program I need to install or use? Could I PM you my scripts so you could have a look at them?

Thanks, Brandon.

by **Hal** on Sat Aug 05, 2006 11:49 pm

Code: Select all: disable_functions = show_source,exec,shell_exec,wget,proc,passthru,system,popen,proc_open,escapeshellcmd,escapeshellarg

by **silexian** on Thu Aug 17, 2006 9:04 am

Hello all

i would like your following ini code "translated" into the .htaccess file.
Do you know the equivalence ?

Code: Select all: register_globals = 0 disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open allow_url_fopen = 0 magic_gpc_quotes = 0

by **Beat** on Thu Aug 17, 2006 9:54 am

silexian wrote:Hello all

i would like your following ini code "translated" into the .htaccess file.
Do you know the equivalence ?

Code: Select all
register_globals = 0 disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open allow_url_fopen = 0 magic_gpc_quotes = 0

I can't agree with magic_gpc_quotes = 0 being more secure than magic_gpc_quotes = 1...

For added security you really should have magic_gpc_quotes = 1

This avoids most sql injection attacks for poor code (or stupidly fergotten escapings) and all joomla and most extensions know how to handle it correctly.

by **wshealy** on Tue Aug 29, 2006 3:10 am

Guys
Do you have to mod the copy script? I changed the get php script and it works like a charm but my
copy script says Error - no source php.ini file even with the new php.ini in my joomla directory.
Thanks
W

by **bret381** on Tue Aug 29, 2006 4:30 am

ok, I've got the location of php.ini on my server, but how do I read the contents to add it to my new php.ini file, or am I just reading this wrong?

by **miggalvez** on Tue Aug 29, 2006 7:34 am

I asked my hosting server to turn register globals to off and they gave me this answer:

You can turn register_globals off by writing the following code (line) in an .htaccess file which is under public_html.
--------------------------------------------------------
php_flag register_globals off
--------------------------------------------------------

Is this true? Does it affect all subdirectories under the public_html directory?

by **RobS** on Tue Aug 29, 2006 7:36 am

Yes (if their configuration allows it, obviously, it does) and yes it will affect all subdirectories of public_html if placed in the public_html folder. Hint: append it to Joomla's .htaccess file if you are using it, otherwise, create your own.

by **miggalvez** on Tue Aug 29, 2006 7:39 am

Cool!

This certainly beats using the scripts in this forum to copy a personalized php.ini file in every single directory in my web site.

by **RobS** on Tue Aug 29, 2006 7:41 am

There are ways to set that up properly so you don't have to copy the php.ini to every directory but your hosting company has to have a certain setup. Unfortunately, most are not wise enough to do this. That is why I always suggest people talk to their hosting company before they try one of these overrides as your hosting company might have an easier way to do it but you would never know if you didn't ask them.

by **miggalvez** on Tue Aug 29, 2006 7:47 am

Works perfectly! Thanks for your help Rob.

by **Beat** on Tue Aug 29, 2006 7:49 am

miggalvez wrote:I asked my hosting server to turn register globals to off and they gave me this answer:
You can turn register_globals off by writing the following code (line) in an .htaccess file which is under public_html.
--------------------------------------------------------
php_flag register_globals off
--------------------------------------------------------

Is this true? Does it affect all subdirectories under the public_html directory?

This is by far the prefered method (after the one of having the hoster turning it off for you in his site settings), as php.ini which are in all folders are valid at time of installing them.

But imagine in one month from now, you install a new third-party component (with a "register-globals"-dependant vulnerability), and forget about it: that component will not be protected without that php.ini file, and Joomla! will not be able to prevent you, as it can't scan all directories for that !

So if at all possible, avoid that method of php.ini files in your own folders, except as immediate temporary fix.
Prefer:
1) your hoster changing it in his own settings back to this default php value.OFF
2) the .htaccess file method if your hoster allows it
3) consider changing hoster if you can't talk with them about these basic php security settings "1)" or "2)".

by **RobS** on Tue Aug 29, 2006 8:01 am

Actually, that isn't the only decent way. If your host knows what they are doing they can setup Apache/PHP to look for a php file per virtualhost in a specific place. I use this configuration on my own servers and it works very well because it is easier to manage a php.ini file than an .htaccess file in my opinion. The configuration is actually pretty simple but not many hosters implement for some silly reason or another that I would really like to know... anyway, yeah... ask about that option too.

by **Beat** on Tue Aug 29, 2006 9:26 am

RobS wrote:Actually, that isn't the only decent way. If your host knows what they are doing they can setup Apache/PHP to look for a php file per virtualhost in a specific place. I use this configuration on my own servers and it works very well because it is easier to manage a php.ini file than an .htaccess file in my opinion. The configuration is actually pretty simple but not many hosters implement for some silly reason or another that I would really like to know... anyway, yeah... ask about that option too.

Yeah, i implied that above (as it's hoster's task), but as we also have hosters in this forum

this clarifies it...

Ok trying to get a full list of prefered options first being best one:

1) hoster sets global default server settings right in php.ini file (usually in /etc/php.ini)

2) hoster sets default server settings correctly for your site (usually a virtualhost on a shared host) at the right place: it can be in php.ini file or in httpd.conf or any file included by httpd.conf, including site-specific http.include files, or in the settings of the host managment software generating those files for him (warning: manual editing of automatically generated files will kill your edits each time they are regenerated e.g. when a domain or subdomain is created/modified, resetting the settings).

3) hoster has set or sets you the rights to add the php configuration statments in your .htaccess file at the root of the http-accessible area of your server (e.g. httpdocs/ or public_html/). This setting is then valid for all folders and subfolders. Note: get in any case the new great security settings of 1.0.11 httpaccess.txt file (thanks Rob for this great contribution) in your .htaccess file .

4) if 1), 2) or 3) are not feasable at your hoster, and you have non-secure settings, talk with your hoster. These are basic security settings of PHP, which are set correctly by default in PHP since more than 2 years. Ask him why he changed them and is making his server less secure.

5) if 4) fails, consider 6) below as temporary safety measure if hoster's configuration take it in account, and plan for a hosting migration.

6) if hoster's configuration take it in account, add php.ini to each public folder (and later to any new created folder) containing php files. Plan for basic php-security knowledgeable hoster.

7) In all cases, rename htaccess.txt into .htaccess if you don't have one, otherwise take the security checks at the end of it and copy them at the end of yours. This is an additional line of defense from known attacks to weak 3pd extensions, most of which register_gloabl would catch. Check it's efficiency by typing "www.yoursite.com/blabla?mosConfig=blabla" : your site should not display same as without the text "www.yoursite.com/blabla?blablabla=blabla"... and plan for a fast hosting migration if 1)-6) could not be implemented

Code: Select all: 8)

If your hoster even disallowed 7) , and doesn't want to discuss, consider changing immediately hoster for one which has or agrees to parameter PHP safely for you: means minimum: register_globals=OFF and magic_quotes_gpc=ON. Hosters which don't understand these php security settings, well... I think by now you should understand that choosing a serious hoster is important.

Reference from PHP manual on a few less common additional possibilities:
http://ch2.php.net/manual/en/configuration.php (includes a link of directives and default settings.

Register globals off by default since php 4.2.0 (that's long time ago), and why:
http://ch2.php.net/register_globals

More reading on magic_quotes:
http://ch2.php.net/manual/en/security.magicquotes.php

Please post corrections, amendments, etc, as replies, and i will try to edit accordingly.

secure it with php.ini

secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Re: secure it with php.ini

Who is online