Joomla! Discussion Forums

hello,
I deeply apologize because this is the dumbest question i could possibly ask about this thread, but i don't even know what it means to upload a script.  can someone please explain how exactly i upload the copy script from the link in emagin's first post (i tried to search for the answer, but everyone starts from the assumption that you know how to use a script, which i don't)?  As you all are, i am trying to put my php.ini in all my directories, but i can't seem to figure it out.  Obviously, i am not very experienced.  could someone please walk me through the process?  my php.ini is currently in my root.

Thank you very much,
and again, sorry for this question.
joe

The problem with disabling allow_url_fopen is that it breaks quite a few modules, and components which relies on getting info from other websites, like for instance eweather and a few other as well. This is a nightmare to support if 98% off your clients use Joomla, and about 46% have something that breaks the moment I disable allow_url_fopen in the server's php.ini.

What is the REAL benefit of disabling this function, and is there a way to allow it on a per domain /directory case?

Creating a php.ini with the words "allow_url_fopen = On" still gives me the same error

Ok I just got off the phone with my hosting company, they said I can make a php.ini file and I can write the script in the file and leave it on the root of the site, I have just been threw many of pages on this thread, and I am completely lost.
Now for newbies like me, when talking to my hosting company they said I can make the file, and upload it to the root.

So how do I make the file uploading is easy LOL.

If you're able to upload a file to your site, you might want to try the following script. It cobbles together several scripts from others for an all-in-one set of features. To use, copy it into your web_root directory and then point your browser to it.

This script can...
1) copy the shared server's default php.ini file to your web_root directory,
2) create a customized copy of the default file, with a few standard security adjustmens,
3) optionally copy the custom file to all sub-directories,
4) optionally delete all the custom php.ini files except the one in your web_root directory, and finally,
5) list all recently modified files.

This last feature may be useful immediately following an attack to locate maliciously modified files.

Please note that you should remove this script once you are done setting up your php.ini files, as you don't want anyone else to run the script and overwrite your work.

Offered as is, for free (as in freedom); depending on your setup, may not work as intended; use at your own risk, blah, blah, blah...

But, if you find a real bug, I'd appreciate learning about it, and I'll try to fix it.  I usually just tweak the code to make changes for different sites, such as setting more or fewer php.ini settings. I may add a few interface enhancements to avoid code tweaking if there's interest.

http://www.educationgrove.com/index.php ... &Itemid=29

OK
I really have no idea what you are talking about.
can you send me a PM thanks..........

I needed to reinstall PHP on my server this weekend. When logging in to Joomla, I was informed that register globals were ON so I went about to change them in /etc/php.ini

That didn't work as even after restarting the server RG still showed as "on". The setting that did work was changing the php.ini that resided in /ftp/usr/lib. I didn't know there were multiple ones. I spotted the config path on the admin panel.

I have 2 questions as a result of this exercise

1. Does this mean the /etc file works in any folder that doesn't have it's own php.ini? And so the reason the setting didn't work for me was because the php.ini in /ftp/usr/lib took precedence?

2. In the process of getting this to work, I changed the file permission settings in /etc to 755 based on what my hosting company suggested. The rep "thought" that's what the setting should be. I don't know PHP and security, but while I'm comfortable having registers globals off, I'm thinking 755 may be too high. What's the best permission setting for this one? I know in /ftp/usr/lib it was 644.

Just look at their support pages, they explain how to do that, here is the lines I added to my .htaccess :

SetEnv REGISTER_GLOBALS 0
SetEnv PHP_VER 5

hope this helps

Vartan

I had the same problem

Tell them you want a php.ini file in your root folder.
Then just tell the file to turn it off, it works.,..

Hi

I have made a copi og php.ini and edit the Max_Upload_Size from 2mb to 4 mb.

Upload again? Where in root? in all directories with phpfiles?

I uploaded in the mainroot of server and in my sites mainroot    But when i load  joomla backend system "PHP info" max_upload_size" is still 2MB.

The "tips-script" says  The php.ini file has been modified and copied.

What am i doing wrong.
Host is site5

Help needed!

TW

www.astraltech.net.

I have a virus on my website is hacked by a betterstart or something like that.

i tried to put the php.ini , but i have errors in all the modules , like the zoom gallery etc etc..

Anybody can guide me a little bit , its a problem right now ¡

Thanks for all

Start with the Security Forum Stickies: http://forum.joomla.org/index.php/board,267.0.html

Thanks guys, my registry globals is finally off!

Hello everybody,

I am quite new with joomla, and I am not a programmer. I am trying to change register_globals to off. My hosting provider recomend me to create a php.ini file in the Joomla directory with the following line:

"register_globals=off"

and in the .htaccess file to put a line to the php.ini file:

"suPHP_ConfigPath /usr/home/www/username/path/to/php.ini"

It seems to work, looking at sysinf (admin) the settings look good. Would I STILL need to put a php.ini in each directory?  This is the only instruction I have in php.ini.

On the other hand, when you said all directories, do you really mean, every single folder with a php file? or only one within each main folder in the root (administrator, includes..etc.) and one within each of the components (main folder)? 

As I have already noticed some inconsistencies in my host comments, so I rather prefered to asked you guys, just in case. Also, if anyone can recommend me a GREEN (sustainable) webhosting service please let me know.

Thanks

I tried the "php_flag register_globals off " on my computer, worked great
but not on the host server.

Harrison78 Thanks! Awesome solution to this problem. Simple and effective.

-

For more on switching to PHP5 see this FAQ:
http://help.joomla.org/component/option ... temid,268/

BTW: The reason you might want to switch to PHP5 at 1and1 (and similar hosts) is that they have PHP5 register_globals turned OFF by default. Although there are justifiable reasons for hosts to keep register_globals ON in PHP4, good hosts will not repeat this error in PHP5. I think if you find yourself at a host that has PHP5 register_globals ON by default, you should start investigating further options.

This info may be helpful to those that use shared hosting. I use Network Solutions and their server setup has allowed me to set my php.ini file in just ONE folder and it controls all of my public folders. I'll describe my setup - if yours is the same, maybe it'll work for you.

When I login to my FTP account, I can see 4 folders:

1. The parent directory
2. backup
3. cgi-bin
4. htdocs

I cannot create any folders from within this "FTP Root folder", but I can access & write to any of the last three folders. The cgi-bin folder is for any cgi scripts and it's where the server is set up to look for a custom php.ini file. As Rob wrote earlier in this thread, the hosting peeps have to actually set this option to function, otherwise it will ignore your php.ini file.

The 'htdocs' folder is my actual URL root folder (your host may call it your Domain Pointer folder, or something like that). It is within that folder that your site's pages are stored.

If this looks like your setup and it might work for you, then give it a try (you can't hurt anything). Grab your site's primary php.ini file with B&T's script file, as mentioned earlier. Modify it as necessary and FTP that puppy to the cgi-bin folder.

From any directory within your 'htdocs' (or equivalent) folder, test you new php settings with a phpinfo() file. If it shows YOUR settings - success - grab a beer and let out a big WOOHOO! 


Backstory: I had searched all over this board for info that pertains to shared hosting and how to get that blasted "register_globals ON", turned OFF. Lots of info on self-hosted, but only occasional scraps for shared hosting. The info I wrote above comes from the fine folks who post on this threads - most of it from this thread. I just had to put it all together for my situation.

Something to keep in mind if you do have the same setup as described above...that cgi-bin folder (and any other in the FTP root) are NOT accessible from the web. You can even create sub-categories within it, just to keep everything nice & tidy. Any such directories will all be "safe havens" for anything you want to safeguard, like password lists, etc. They're not as safe as what self-hosted peeps get, but it's the best we have!

If you use basic authorization, move the .access.pwd file into the cgi-bin folder and adjust the .htaccess file(s) path for AuthUserFile to that folder (remember to use the full Unix path). If you have multiple basic authorization setup on several directories with different users & passwords, just put them all into that one file.

My background is in html & javascript, with just enough php to get myself into trouble...so if any of the Joomla! Heros in here see anything wrong, please don't hesitate to modify.

I do wish someone would explain that "open_basedir" option a little more. I don't get it. If I restrict to only one folder, which one? More than one? All of the Joomla! site's relevant folders? Then what does it protect. See my confusion?

Thanks to all that have helped me and who will undoubtably help me in the future, with a special mention to these fine peeps - Beat, RobS, emagin (B&T too) and the person that lit the lightbulb above my head, Pintobean! 

Here's how it's described by the PHP site:



The main point of all this is to limit the files that PHP can access to only those within the path you specify.

For example, this would protect the confidential files in the cgi-bin directory from direct access through PHP. Note that PHP scripts are NOT really limited by the Web server. A PHP script can access any file on the server whose file permissions allow it.

Thanks for the reply, rliskey! 

I've read that particular PHP article and dozens more...I'm still confused about how to exactly use it. I understand how its use can require that only specific paths are used (thereby stopping all other paths)...that is correct, right? In a fashion, it's similar to the "require" function in PHP scripts, right?

I don't know which path(s) would make Joomla! safer and/or which path(s) might prevent Joomla! from even working properly. I feel like there's some basic something that I'm missing here. This option is pertinent to a shared hosting setup, right?

If you could show a specific example, I might be able to get it. Assuming a typical Joomla! install (eCommerce w/VM) with its root folder and 12 sub-directories, what would be the path for "open-basedir"? For this example, say I installed directly into my "htdocs", root folder.

(I actually have the current install in a sub-domain as the developement site, with that sub-domain pointed to itself. I've read enough to know not to go Live all at once!)

Sorry for all of the questions, but it's midnight in the forest and my sunglasses are superglued to my head.    Thanks!!

Here's an example that would go in your php.ini file. The exact paths to use depend on your server setup. Note that you can add more than one path, separating them with colons.

BTW: It's okay to allow access to the tmp directory. PHP needs access to it, and if your server's correctly configured, tmp is protected by other means. Normally nothing inside of tmp is  executable, so if a malicious script gets in, it can't do anything.

I have tried this, but no change, I have put both in the root and the sub.

I first tried the standard htaccess file that comes and renamed it to .htaccess, and also tried just php_flag in the .htaccess
When I do nay of these, the whole site refuses to load any css files of the template, plus the warning does not go away any way.

I am trying this script  but the first scripts works ok, but not the second one for copy it says:
Error - no source php.ini file
Also, I don't about these file location below  are they absolute or relative. I tried absolute paths and di not work either. Could you give an example ?
This is how I did it:


Original code

i searched it on my joomla folder...but it is not there...
m working on local host....

php.ini
Where is located....
m not able to find it out....

This does not exist by default, you must creat this file yourself in each directory you want to protect

Not quite: If it is not in your directory, PHP uses the servers default one.

The servers php.ini can be found: Administration > System > Sytem info > PHP info. Look for the option: "Loaded Configuration File" (it's in the beginning)

if you' had read this thread you'd know where to look and what to look for ...
viewtopic.php?f=267&t=75990&st=0&sk=t&sd=a&start=60#p467875

Besides: why on earth would you want to spread php.ini files all over the place on your "localhost" If someone could compromise that machine, you're scr**ed anyway, and having a bunch of php.ini´s won't help ...

Happy fle copying...

CirTap