secure it with php.ini

RobS · **Posted:** Tue Aug 29, 2006 9:34 am

Looks good to me.

X-Dimension · **Joined:** Thu Sep 15, 2005 9:31 am **Posts:** 96

emagin wrote:

A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script

http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete

I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.

These scipts don't work for me.
The Copy Script told me that it can't find my php.ini and the deletescript shows "Done." but it doesn't delete all my manual copied php.ini from the folders.

Any Ideas?

dionysus · **Posted:** Tue Aug 29, 2006 6:10 pm

I am getting the same thing as posted by X-Dimension.

bret381 · **Joined:** Sat Jun 17, 2006 5:07 pm **Posts:** 349

make sure the paths are correct in the php.ini file, also in the copy file. And make sure you have write permissions for the folders.

X-Dimension · **Joined:** Thu Sep 15, 2005 9:31 am **Posts:** 96

How should the path look like?
What means "/home/" in this php-script? "public_html" is my public-www directory, isn't it?

Concerning write permissions:
Who needs the write permissions? (owner, group or public?)
At this time only the owner has write permissions.

kaizen · **Posted:** Tue Aug 29, 2006 7:34 pm

bret381 wrote:

make sure the paths are correct in the php.ini file, also in the copy file. And make sure you have write permissions for the folders.

That might be a bit easier if the paths were documented...

I'm hosted with 1and1.com and have 3 installs of Joomla, running in different subdirs. For example, in one of the installs, the absolute dir is shown as

Code:

'/homepages/45/d98820553/htdocs/wilson2020';

Assuming I put my php.ini and the script files in the wilson2020 subdir, what values should I have for the vars in the script lines shown?

Code:

$path = "/home/" . get_current_user() . "/public_html"; 
$source = $path . "/php.ini"; 

In other words, what should I have for "/home/", "/public_html/" and "/php.ini"? Because I have it setup as follows:

Code:

$path = "/homepages/45/d98820553/" . get_current_user() . "/homepages/45/d98820553/htdocs"; 
$source = $path . "/homepages/45/d98820553/htdocs/wilson2020/php.ini"; 

And I'm getting the same results as the last two posters...and BTW with all the cross talk I'm a bit confused now; is the following php.ini file correct?

Code:

allow_url_fopen = OFF
register_globals = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

It appears to have stopped the error message in Admisnitrator but I'd justlike to be sure and also to make it clear for others who will follow this thread.

Right now, I'm copying everything manually but I'm starting to get repetitive stress injury!! And I have more sites to deal with before I sleep...so any help will be appreciated!

vdrover · **Posted:** Tue Aug 29, 2006 7:55 pm

I went through all the best possible solutions with my host but the only real choice for me at the moment is to copy php.ini to all my folders using the scripts described earlier in this thread. I successfully performed the task as follows:

a. Edit the path in copy script as appropriate
b. Copy php.ini and the copy script to the Joomla! root folder
c. CHMOD 0600 php.ini
d. Call the script from a browser
e. Delete php script

However, going back to run the scripts each time u add an extension is likely to not be 100% (i.e. I am forgetful) and thus leaves my site vulnerable. I considered setting up the script as a cronjob to run once daily for example. Here is what my host notes about setting up cronjobs:

* In case you use a PHP cron script, please set its first line to: #!/usr/local/bin/php4.cli
* You must set read and execute permissions (like 775) to your script, to be able to run it.

1. Do i have to worry about leaving my copy script in the Joomla! root with CHMOD 775
2. Can I just use the copyscript 'as is' (see below) except for the addition noted above (#!/usr/local/bin/php4.cli)

Code:

**** Start php.ini file ************
register_globals = off
post_max_size = 20M
memory_limit = 80M
upload_max_filesize = 20M
max_execution_time = 120
expose_php=off
**** End php.ini file **************

Code:

**** Start phpini_copy.php file ************
<?php
// set this value to Y if you only want to overwrite old php.ini files
// set this value to N if you want to put a php.ini file in every directory
$overwriteOnly = "N";

if ($overwriteOnly == "Y") echo "Operating in Overwrite Only Mode<br><br>";
$path = "/home/user/www/www";
$source = $path . "/php.ini";
if (!file_exists($source)) die('Error - no source php.ini file');
function search($dir) {
  global $source;
  global $overwriteOnly;
  $dh = opendir($dir);
  while (($filename = readdir($dh)) !== false) {
    if ( $filename !== '.' AND $filename !== '..' AND $filename !== 'cgi-bin' AND is_dir("$dir/$filename") ) {
      $path = $dir."/".$filename; 
      $target = $path . "/php.ini";
      if (!file_exists($target) AND $overwriteOnly == "Y") {
   echo "$path <b>skipped - no php.ini file</b><br>";
      } else {
   echo "$target <br>";
   if (!copy($source,$target)) echo "<b>Write failed for $target </b><br>";
   if (file_exists($target)) chmod($target,0600);
    }
      search($path);
    }
  }
  closedir($dh);
}
search($path);
echo "<br>Done.";
?>
**** End phpini_copy.php file ****************

kaizen · **Posted:** Tue Aug 29, 2006 8:33 pm

Vdrover -

I sure am glad you posted your edit of the copy script, because by looking at it I finally understood what was going wrong with mine...
For others who might have been confused, here's an explanation:

Firstly, like vdrover, I eliminated the part after the path declaration that read

Code:

. get_current_user() . "/homepages/45/d98820553/htdocs/";

as it wasn't necessary for me. (Note, I'm using this at 1and1.com, your mileage may vary however!)

$path= should be the ABSOLUTE PATH TO WHERE THE SCRIPT IS RUNNING FROM HINT: If you run this from the root of your joomla installation, it should be the same as the value for "$mosConfig_absolute_path =" in your configuration.php file!

$source= should be WHERE THE SOURCE PHP.INI FILE IS LOCATED, if it's in the same place as the script it should simply read "/php.ini" since the statement

Code:

$source= $path . "/php.ini";

will take the value for the variable "$path" and append the value "/php.ini" to it. I did this and it worked like a charm; don't forget to edit your globals.php and set it to OFF! I just wish I saw this BEFORE I went ahead and did everything manually...phew! At least NOW I won't have to do it for the other 8 sites!!

Thanks!

dionysus · **Posted:** Tue Aug 29, 2006 8:58 pm

I'm sorry,

But just to clearify, what should i do with these scripts, once i am finished?

Also, after following the examples on this page, and i am good to go.

kaizen · **Posted:** Tue Aug 29, 2006 9:14 pm

I'm deleting mine on the sites and keeping a copy in my client files.

X-Dimension · **Joined:** Thu Sep 15, 2005 9:31 am **Posts:** 96

@kaizen

Thank you very much! That works for me!

XD

kaizen · **Posted:** Tue Aug 29, 2006 11:20 pm

@ X-Dimension

Glad to have helped you - to answer your other question, setting the permissions for 600 would leave only the owner with permissions which is fine - so you're good to go.

In the interim, I've noted that there are a few fixes involved if you use the php.ini file I showed, especially with Joomlaboard and Community builder (Not only for RegisterGlobals but for disallowing exec calls from PHP) so make sure you customkize your php.ini file to your own situation, and read this thread regarding fixes http://forum.joomla.org/index.php/topic,86525.0.html that you need to apply to 3PD apps after turning globals off.

wshealy · **Joined:** Thu Jan 19, 2006 4:12 am **Posts:** 37

I tried the htaccess change on 1&1 and it doesn't work :<

Talking to them on the phone is nearly worthless. Getting them to change a system setting either globals off or allowing the entry in htaccess is hopeless. Time to start looking to move.

The 3 script solution does work. I have all three scripts working. Thanks to the discussion here.

Now for the 100K question ---

The copy script put the php.ini file in more than 1300 directories most of which have nothing to do with php.

Would it be possible to enhance the script so it looks for a .php or variation .php4 etc and only copies php.ini to those directories?
That is what I did manually before the script worked for me. It would be cleaner, wouldn't depend on the overwrite logic which I think is likely to miss a new php directory, and wouldn't leave php.ini files to show up in directory listing to confuse or intrigue prying eyes. Does this make sense?

Could someone help me?

Thanks.
W <-- for Wallace not for president, Yes, it stuck from my userid.

PS - I'm having other pressing upgrade issues that I need to attend to in other post. My frontend login won't -- between joomla, cb, joomla-smf bridge it could be anything it isn't globals <-- Thanks to getting the scripts to work I turn them on and off to test.

vdrover · **Posted:** Wed Aug 30, 2006 4:31 am

Glad you guys are getting things running well. However, I want to set this up as a cron job and thus need to leave the script there. Is this dangerous? Could the script itself be a source of indsecurity?

Pintobean · **Joined:** Fri Oct 21, 2005 8:03 pm **Posts:** 7

Here's a wiki page on how to run your own php.ini on your domain at dreamhost.com:

http://wiki.dreamhost.com/index.php/PHP.ini

This might be helpful to other folks who are on shared webhosts, not just dreamhost. Basically, you copy the system php.cfg and php.ini files to your own cgi-bin folder, and run a little script with some pearl that parses those files and replaces the specific directives that you want modified with your chosen value.

Here's what I ran:

Code:

#!/bin/sh
CGIFILE="$HOME/webroot/cgi-bin/php.cgi"
INIFILE="$HOME/webroot/cgi-bin/php.ini"
cp /dh/cgi-system/php5.cgi "$CGIFILE"
cp /etc/php5/cgi/php.ini "$INIFILE"

perl -p -i -e '
s/.*post_max_size.*/post_max_size = 100M/;
s/.*upload_max_filesize.*/upload_max_filesize = 100M/;
s/.*register_globals.*/register_globals = 0/;
s/.*allow_url_fopen.*/allow_url_fopen = 0/;
s/.*magic_gpc_quotes.*/magic_gpc_quotes = 0/;
s/.*magic_quotes_gpc.*/magic_quotes_gpc = Off/;
s/.*safe_mode.*/safe_mode = 1/;
' "$INIFILE"

They suggest setting up a cron job to run this script weekly to keep it up-to-date. Works like a charm for me! BTW thanks to all the developers who put in great time and effort to keep Joomla! up-to-date and as secure as possible.

locutus · **Joined:** Thu Aug 18, 2005 6:43 pm **Posts:** 112

Having trouble getting the above scripts going?

Change this:

Code:

$path = "/home/" . get_current_user() . "/public_html";

into this

Code:

$path = getcwd();

kaizen · **Posted:** Wed Aug 30, 2006 12:24 pm

vdrover wrote:

Glad you guys are getting things running well. However, I want to set this up as a cron job and thus need to leave the script there. Is this dangerous? Could the script itself be a source of indsecurity?

I'm not an expert, but my guess would be that if someone could find a way upload a different php.ini file, or modify the delete script to delete something else (say your configuration.php or maybe *.php) it would be a risk. I'm not willing to take the cahcen so I'm deleting mine at the host.

Now if you were running it as a cron job and put it in a more secure area that should be fine - but you'll have to ask someone else how to accomplish that as I'm afraid I don't know how.

vdrover · **Posted:** Wed Aug 30, 2006 4:26 pm

kaizen wrote:

I'm not an expert, but my guess would be that if someone could find a way upload a different php.ini file, or modify the delete script to delete something else (say your configuration.php or maybe *.php) it would be a risk. I'm not willing to take the cahcen so I'm deleting mine at the host.

Now if you were running it as a cron job and put it in a more secure area that should be fine - but you'll have to ask someone else how to accomplish that as I'm afraid I don't know how.

I just realized that my host has a private area not accessible via the web. /home/user/private. I used the modified script below (as well as the php.ini file noted earlier) to set up a cron job using this now secure script. The main difference is that the script is not working recursively, but in /home/user/www.

Now I can leave the script safely in /home/user/private and let the cron job run once a day...SWEEEEEET!

Code:

//the following line required by my host in all cron jobs. Ask your host if you need this or a modified version
#!/usr/local/bin/php4.cli

<?php
// set this value to Y if you only want to overwrite old php.ini files
// set this value to N if you want to put a php.ini file in every directory
$overwriteOnly = "N";
if ($overwriteOnly == "Y") echo "Operating in Overwrite Only Mode<br><br>";

// modify the following path as appropriate for your host. This is where you have your joomla
// installations and where you want to copy the php.ini files. 
$path = "/home/user/www";

//modify the following to the absolute path of your script and php.ini file.
$sourcepath = "/home/user/private"; 
$source = $sourcepath . "/php.ini";

if (!file_exists($source)) die('Error - no source php.ini file');
function search($dir) {
  global $source;
  global $overwriteOnly;
  $dh = opendir($dir);
  while (($filename = readdir($dh)) !== false) {
    if ( $filename !== '.' AND $filename !== '..' AND $filename !== 'cgi-bin' AND is_dir("$dir/$filename") ) {
      $path = $dir."/".$filename;
      $target = $path . "/php.ini";
      if (!file_exists($target) AND $overwriteOnly == "Y") {
        echo "$path <b>skipped - no php.ini file</b><br>";
      } else {
        echo "$target <br>";
        if (!copy($source,$target)) echo "<b>Write failed for $target </b><br>";
        if (file_exists($target)) chmod($target,0600);
    }
      search($path);
    }
  }
  closedir($dh);
}
search($path);
echo "<br>Done.";
?>

DoctorMicro · **Joined:** Wed Aug 30, 2006 11:12 pm **Posts:** 19

Hello All, this is my first posting to this site.

The best way I have found to have it work, was to just add the php flags at the top of Joomlas .htaccess file and place it in the directory Joomla resides in on your server. I only needed the two below for this new 1.0.11 update.

php_flag register_globals off

php_flag magic_quotes_gpc on

NOTE: Will not work without the php_flag in front of them. Also some servers like using 0 instead of off and on instead of 1.

Harrison78 · **Joined:** Tue Jun 20, 2006 10:39 pm **Posts:** 20

This may be of interest to members who use 1and1 for their Joomla hosting.

I found an easy way to switch register globals off on a 1and1 shared hosting account by making the server run all php scripts through php 5 instead of php 4. 1and1 run a much more secure PHP5 configuration compared to their PHP4 installation and by default registerglobals is off, as well as some other more secure settings being set as standard.

By default all .php scripts on a 1and1 server use PHP 4 and you have to rename scripts to .php5 for the apache server to use PHP 5, but you can easily tell the apache server to use PHP 5 for all scripts, and this is done by placing a .htaccess file at the root of your Joomla installation with the following line in it:

Code:

AddType x-mapp-php5 .php

This will tell Apache to use PHP5 instead of PHP4 for the extension .php in the directory the .htaccess is placed and all sub-directories under it.

vdrover · **Posted:** Thu Aug 31, 2006 2:41 am

DoctorMicro wrote:

Hello All, this is my first posting to this site.

The best way I have found to have it work, was to just add the php flags at the top of Joomlas .htaccess file and place it in the directory Joomla resides in on your server. I only needed the two below for this new 1.0.11 update.

php_flag register_globals off

php_flag magic_quotes_gpc on

NOTE: Will not work without the php_flag in front of them. Also some servers like using 0 instead of off and on instead of 1.

My host has PHP running as CGI under the SuExec environment. They say that with this configuration you cannot set PHP values in .htaccess files ("This only works with PHP in mod_php mode").

Can anyone confirm this?

wshealy · **Joined:** Thu Jan 19, 2006 4:12 am **Posts:** 37

wshealy wrote:

Would it be possible to enhance the script so it looks for a .php or variation .php4 etc and only copies php.ini to those directories?
That is what I did manually before the script worked for me. It would be cleaner, wouldn't depend on the overwrite logic which I think is likely to miss a new php directory, and wouldn't leave php.ini files to show up in directory listing to confuse or intrigue prying eyes. Does this make sense?

Could someone help me?

Thanks.
W

Could anybody help me with this?
Thanks
W

RobS · **Posted:** Thu Aug 31, 2006 7:29 am

vdrover wrote:

DoctorMicro wrote:

Hello All, this is my first posting to this site.

The best way I have found to have it work, was to just add the php flags at the top of Joomlas .htaccess file and place it in the directory Joomla resides in on your server. I only needed the two below for this new 1.0.11 update.

php_flag register_globals off

php_flag magic_quotes_gpc on

NOTE: Will not work without the php_flag in front of them. Also some servers like using 0 instead of off and on instead of 1.

My host has PHP running as CGI under the SuExec environment. They say that with this configuration you cannot set PHP values in .htaccess files ("This only works with PHP in mod_php mode").

Can anyone confirm this?

This is true.

paullehat · **Joined:** Sat Nov 19, 2005 12:54 pm **Posts:** 16

My website hosts allow me to create my own php.ini file, can anyone point a newbie to a template file or text for file I can modify for globals off? PHP info says etc/php.ini. Do I create a new folder called 'etc' because I can't see one via FTP? Please advise.

draconid · **Joined:** Tue Dec 20, 2005 9:04 am **Posts:** 14

Harrison78 wrote:

By default all .php scripts on a 1and1 server use PHP 4 and you have to rename scripts to .php5 for the apache server to use PHP 5, but you can easily tell the apache server to use PHP 5 for all scripts, and this is done by placing a .htaccess file at the root of your Joomla installation with the following line in it:

Code:

AddType x-mapp-php5 .php

This will tell Apache to use PHP5 instead of PHP4 for the extension .php in the directory the .htaccess is placed and all sub-directories under it.

This is an awesome suggestion. Thanks! I was having trouble getting the scripts on this thread working, but this works like a dream!

steveoc · **Joined:** Fri Jun 23, 2006 11:14 pm **Posts:** 84

paullehat wrote:

My website hosts allow me to create my own php.ini file, can anyone point a newbie to a template file or text for file I can modify for globals off? PHP info says etc/php.ini. Do I create a new folder called 'etc' because I can't see one via FTP? Please advise.

My host told me to take the .htacess.txt and rename it php.ini The server runs phpsuexec. I put it in the joomla root and joomla/admin folders. That got rid of the warnings and my host says that the subfolders should be covered. I have my doubts though as the security warning did not disappear until I put a copy in the admin. It may be that I did not wait and popped it in immediately after I saw the security flag on the back end.

Steve

Beat · **Posted:** Thu Aug 31, 2006 12:36 pm

steveoc wrote:

...
My host told me to take the .htacess.txt and rename it php.ini
...
my host says that the subfolders should be covered.

I'm inbetween: >:(

:-\ :'(

But also, this is the most :laugh:

I heard from a hoster today.

Sorry, both are 100% wrong statments. Who knows how these servers are configured...

Quote:

I have my doubts though as the security warning did not disappear until I put a copy in the admin...

You are right to have serious doubts.

Security fix #1 for your site: Run away from this hoster the fastest you can.

Read carefully all pages of the front-page announcement of Joomla 1.0.11 on http://www.joomla.org/ to get better instructions on htaccess.txt and other settings. Read the sticky posts on the security sub-forum. Choose a hoster who knows what he is doing...

steveoc · **Joined:** Fri Jun 23, 2006 11:14 pm **Posts:** 84

Beat wrote:

Quote:

I have my doubts though as the security warning did not disappear until I put a copy in the admin...

You are right to have serious doubts.

Security fix #1 for your site: Run away from this hoster the fastest you can.

Read carefully all pages of the front-page announcement of Joomla 1.0.11 on http://www.joomla.org/ to get better instructions on htaccess.txt and other settings. Read the sticky posts on the security sub-forum. Choose a hoster who knows what he is doing...

Okay--as I suspected! Unfortunately I cannot move it right now, but I will when the opportunity arises. Looks like it's time to to find the path to the php.ini and use the scripts to copy and replicate it with the needed modifications. Just can't get the script to work! (I already tried it--as you can see, I didn't believe them either!). I can't use .htaccess on this sever--it has to be the php.ini route as attempts to use the .htaccess throws errors.

All my other sites are fine as they are on another server that allows the .htaccess.

Steve

steveoc · **Joined:** Fri Jun 23, 2006 11:14 pm **Posts:** 84

When I try to run the initialize script, I keep getting

Quote:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/user/public_html/php-initialize.php on line 4

I am ready to give up. I've been working on securing this site for days. I can't even keep straight what I have read. I'd hire help, but the site is my school's and by the time I get the business manager to act, it would be into the next year.

Now tech support says just write a text file with register_globals = Off, name it php.ini, and put it in each folder. I tried the copy script and got the same error.

Steve

wshealy · **Joined:** Thu Jan 19, 2006 4:12 am **Posts:** 37

This gives me a 500 error. Any suggestions?

Harrison78 wrote:

This may be of interest to members who use 1and1 for their Joomla hosting.

Code:

AddType x-mapp-php5 .php

Thanks
W

Joomla! Discussion Forums

Forum rules

secure it with php.ini

Quick reply

Who is online