Joomla! Discussion Forums

Hey guys-
I appreciate all the input here, but now i am confused. Before, it was throw a simple php.ini file in every directory and you're done. Now I'm hearing that it's much more complex than that, and all I will get is major problems trying to do it that way.

I am about to do a 'Grand Opening' and marketing blitz on my site this weekend. Before I do that, I want to make sure some idiot can't get in there and destroy it all (well, I'd like to make it as difficult as possible for them to).  As a newbie who doesn't know php at all- or server stuff, and is hosted at GoDaddy.com- what do I do? What's the most effective way to secure my site as best as possible? And no, switching servers/hosts is not an option at this point.

Thanks guys, I really appreciate it all!

Try this one:



It's working for the whole site. It's the global php.ini file. 
When they have Ensim Pro control Panels the client can change the php.ini file them selves 

It is possible to get 1&1 site clean!!!
I have made great progress now running 1.0.11 under php 1.5.6 after deleting mod_votd (500 error).
We have gotten the whole site cleaned up for 1.5 beta

I can't say enough for Ken and Open-SEF they both rock. Ken made a personal appearance on my site to tune Open-SEF up and eliminate problems I had caused by my lack of understanding.

I also solved a problem that bit me while the site was down when Google crawled me while I was offline and I lost all my site information in Google. Google for webmasters says a site should return a "503 Service unavailable" when it is down for service. Of course joomla doesn't. My version now does. Wish I could figure out who could get this code added to the next release.



I added it to offline.php about 4 lines down right after define globals.

Goes off to be a happy camper! Thanks for everyones help.

Sorry, but you apparently have no clue about the subject. J! runs perfectly well with RG off.
Almost any "security leakage" in Joomla! was based on PHP's own holes that made *every* PHP application vulnerable the same way, and the fact that there are masses of extensions written by unskilled "developers". There is nothing like a "secure software" of that complexity, but the J! developers did an excellent job is fixing every new hole that was found in either PHP or caused by some behaviour sombody was able to foresee.

I asked my hot streamline if they could turn off register_globals in php.ini and this is their reply. Should I move to the windows server, or move host?

Hi Alex Walker,

Thanks for your query.

Please note that as you are hosted on Linux, register_globals are turned on. They are off on our Windows servers. You are able to move between servers through this control panel using the Switch Windows/Linux option.

We hope you are enjoying your weekend.

Kind Regards,
Support Department
Streamline.Net - The home of good value web hosting

Hi Alex,
best answer to give: it depends...
Some stuff you should consider:
- will the Windows Server run IIS or Apache as the web server? they differ in many aspects
- if Apache, good, but will it be the same version (e.g 1.3x or 2.x), if this is a "downgrade": dont' move
- will PHP will be the same version, or probably higher? 4.4.x or 5.1.x are current. if this is a "downgrade": dont' move
- are any php extensions "missing"? usually they do.
- several "core" features of PHP/Apache do not exists for Windows by design; your apps may lack essential functionality
- are other "applications" or PHP scripts running on the affected domains? Check their requirements FIRST! Some simply don't run on Windows system (no matter what web server/PHP version/etc.)
- will this move also affect the database server? J! (incl. 1.5) only handles MySQL
- if MySQL, good, but is it the same or a higher version? MySQL4.x would be better, J! 1.5 will love native UTF-8 support.  if this is a "downgrade": dont' move

@all: don't be so paranoid about register_globals=on. Don't believe that if this value's off, your site is secure. It's one of many settings that result in a "little more security". If someone hacks the server, register_globals=off won't protect your site.
High security always implies less comfort! You can't have both. Nowhere and never: at home, your car, your web site.

J! handles RG in the "globals off emulation" and works with either on or off. But check your pool of installed extensions for vulnerabilities!! There's a sub forum in this bord. Get rid of anything that's weaking J! from inside.
Secure your folders and files via CHMOD/CHOWN as outlined in this excellent sticky: Joomla Administrator's Security Checklist Not everything will be possible to achieve, but there's a lot of things in that post each user can do as well.
"Lock" critical folders and only have them writeable if you really need to. There's no need to have configuration.php writeable all the time: configure once, lock it and done.

CirTap

Can the php.ini file change regarding register_globals setting `OFF be added to .htaccess part of the default .htaccess file in 1.0.11 identified in Using .htaccess files to block exploit attempts at http://forum.joomla.org/index.php/topic,75376.0.html

Hello, all!

I am trying to secure my Joomla 1.0.11 since a few days and I read here that I have to "turn the Register globals off", by modyfing the php.ini

However as I am on a "shared server" my hosting refuses to change it for me. (I dont have access to php,ini myself)
I asked for the other technique, that is the "turn the register globals off" from the .htaccess but I asked it before to the technical support of the hosting and they told me that its not possible, they have bloqued that technique and If I try I will have an "error 500"...

I am starting to think its a very limited hosting but I paid for it two months ago I still have for 10 months left with them...


They also told me that putting a "php.ini" in all folders wont work.

Their advice was to always update Joomla as soon as possible and that its secure anyway like it...    I do understand that its a convenient response but...

So Should I be affraid of my register globals on?
(Its my only security warning, I have even double protected the administrator folder by .htaccess password and changed the "admin" login)

Is there another possibility to change it without the techinques explained here "override, changing php.ini or .htaccess" ?
Edit: I read the excellent explanations for registerglobals, here: http://forum.joomla.org/index.php/topic,93640.0.html but still concerned....



Cheers!!

My hosting is OVH.FR by the way...

If setting up a secure site confuses you, hire a Joomla! professional to review your site's status. Factoring in what it costs to learn the hard way AFTER you've been hacked will make this investment seem a bargain.

Joomla! is free. Wisdom and experience can be priceless.

My hosts doesn not allow any access to the PHP.INI file. Zero, Nadda, None!
I contacted them and they assured me that having the global settings to on is a very minimal risk yet is required for many scripts.
To change hosts for a minor setting is a bit extreme, not to mention expense.

If someone could tell me how to get rid of the warning message in 1.0.11 then I'd save a lot of time hacking code to remove it.

This is NOT a minor setting, as has been explained multiple times iin this forum, on the official PHP site, and elsewhere. If you are doing anything at all serious with Joomla!, you'll probably find getting cracked to be even more expensive. You may also find at that point that your host is no longer sending you comforting, "Don't you worry about a thing!" emails. Good luck!


Hoping to save time by not learning anything and relying instead on whatever others tell you? Okay, here's how...

The process is similar to disabling the seatbelt warning in your car, and equally foolish:
  1. Find the warning by doing a global search for the offending text.
  2. Hack the code to say something you find more comforting, or just comment it out.
  3. Pray to the gods of your choice.

Sarcasm Noted!, no real help, but noted as a sign of IQ levels!
Sorry for trying to seek help, I won't do that again! 
Thanks for the great support for Joomla!

Okay, sorry about the sarcasm. Not sure how to help you though. The warning messages are important and only show in the backend to administrators. Hacking code to remove warnings does not seem like a very good idea.

Welcome to the forums, loman
it can't be added (and activated) by default because it would have several drawbacks as mentioned a few times in this thread:
- this only works with PHP server module not CGI
- could break (poor written) 3PD extensions

CirTap

I have been trying to get rid of these Joomla! admin warnings:

    *  PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * PHP register_globals setting is `ON` instead of `OFF`

for a while now and have rad quite a bit on this forum, but to now avail. I edited htaccess and added a php.ini, but the warnings are still there. I have to work it out myself cause the provider won't change the php.ini...

Here is the .htacces code I added:



And here is my php.ini:


I put it in my Joomla! root folder test/
What is missing here?

If you are securing via php.ini that may mean that you are running PHP in cgi mode.
If this is so, then you need to put that php.ini in every directory of site.
See the top of this thread, #10 about tools to facilitate this.

Rhand,

Make sure that the file you are editing is .htaccess and not ".htacces".

I use CWI http://www.cwihosting.com  They do not enable the use of a php.ini in user directories, but I can use a .htaccess file to accomplish what I need to do.  You only need to edit this file in your web server root directory to affect all subdirectories.

Append to the end of .htaccess:
php_flag register_globals off
php_flag allow_url_fopen off
php_flag magic_quotes_gpc on

Please note that disable_functions did not work for me in the .htaccess file.  I later found PHP documentation that said that  disable_functions can only be used in php.ini  Search for "disable_functions" at http://us2.php.net/manual/en/ini.php

For reference, see:
http://forum.joomla.org/index.php?topic=81058.0
http://forum.joomla.org/index.php/topic ... #msg455771



In addition, I edited globals.php and changed the following line:
define( 'RG_EMULATION', 0);

For reference, see:
http://forum.joomla.org/index.php/topic,81058.0.html

Regards,

Social     
http://www.social.com  Tips for Life

should be

I installed info.php and I found that php.ini is installed in /etc/php.ini .

I edited php.ini as rlsikey and social said. Futhermore, I added php.info to a few other folders (I didn't edit the file).... But I really don't know if my php.ini is running in cgi mode. I only know that I still have those darn warnings:

    *  PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * PHP register_globals setting is `ON` instead of `OFF`

And when I checked the php.ini I saw that it doens't check my test folder for other .ini files...



Rhand

NOTE for users of 1and1 - i emailed tech support and they were willing to work with me on this issue - however i found the answer on here.  I believe it's secure now as it doesn't have that annoying register_globals is STILL ON!  in red anymore. 

So yes, I did what the other guy did with the AddType x-mapp-php5 .php in the .htaccess file... but I actually had to place this as the FIRST LINE of the .htaccess.  I was thinking I'd have to create my own php.ini and what a pain that was turning out to be- I'm glad this worked.  1and1 is AWESOME and they support joomla - you just gotta read into it a little bit so don't be swayed by posts on here where peeps have had troubles w/ 1and1, they know what they're doing but you have to also.

I grabbed the joomla .htaccess for my site actually - here it is in case anyone is curious.  I was also curious about how to get  clean url's to work- it seemed to be rather clunky and it doesn't really create anything that people remember anyhow (/content/junk/junk/junk/) so I just set it back to default.

here's my .htaccess in case anyone's curious:

AddType x-mapp-php5 .php

##
# @version $Id: htaccess.txt 2368 2006-02-14 17:40:02Z stingrey $
# @package Joomla
# @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##


#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
# Only use one of the two SEF sections that follow.  Lines that can be uncommented
# (and thus used) have only one #.  Lines with two #'s should not be uncommented
# In the section that you don't use, all lines should start with #
#
# For Standard SEF, use the standard SEF section.  You can comment out
# all of the RewriteCond lines and reduce your server's load if you
# don't have directories in your root named 'component' or 'content'
#
# If you are using a 3rd Party SEF or the Core SEF solution
# uncomment all of the lines in the '3rd Party or Core SEF' section
#
#####################################################

#####  SOLVING PROBLEMS WITH COMPONENT URL's that don't work #####
# SPECIAL NOTE FOR SMF USERS WHEN SMF IS INTEGRATED AND BRIDGED
# OR ANY SITUATION WHERE A COMPONENT's URL's AREN't WORKING
#
# In both the 'Standard SEF', and '3rd Party or Core SEF' sections the line:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# May need to be uncommented.  If you are running your Joomla/Mambo from
# a subdirectory the name of the subdirectory will need to be inserted into this
# line.  For example, if your Joomla/Mambo is in a subdirectory called '/test/',
# change this:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# to this:
# RewriteCond %{REQUEST_URI} ^(/test/component/option,com) [NC,OR] ##optional - see notes##
#
#####################################################


##  Can be commented out if causes errors, see notes above.
Options FollowSymLinks
Options +Indexes

#
#  mod_rewrite in use

RewriteEngine on
php_flag register_globals off
register_globals off



#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla/MamboDirectory (just / for root)

RewriteBase /
RewriteRule ^([a-z]+)\.html$ /index.php?$1 [R,L]



########## Begin Standard SEF Section
## ALL (RewriteCond) lines in this section are only required if you actually
## have directories named 'content' or 'component' on your server
## If you do not have directories with these names, comment them out.
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteRule ^(content/|component/) index.php
#
########## End Standard SEF Section


########## Begin 3rd Party or Core SEF Section
#
RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php
#
########## End 3rd Party or Core SEF Section

Thanks for the info but are those the only 3 lines I need in my php.ini file? I'm new at php and would like to make things as simple as possible till I fiddle around with it a bit more.

I'm with GoDaddy and I don't have a php.ini file in my root directory. I tried the .htaccess fix and it kept me from accessing my site so, I had to remove it.

Gemigene

the code snippet is wrong, it mixes php.ini and .htaccess directives.
If AT ALL it should read:
-------------snip-------------
allow_url_fopen = OFF
register_globals = off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------
without php_value. This one only applies to the .htaccess file (or httpd.conf) WITH PHP running as a module.

Have fun & good luck,
CirTap

Thanks but how do I do it? Suggestions anyone?

Gemigene

read this thread, it has all be discussed here... in length :-)
you'll find more than one "solution" posted, one may match and work for your server environment, or none at all.
messing with php.ini is not always necessary, and more often not even possible, for very good reasons.

I also recommend reading this sticky *carefully*, written by rliskey: http://forum.joomla.org/index.php/topic,81058.0.html
The sticky contains other possible "ways" to secure your installation, some may be applicable for you.

Have fun,
CirTap

Did that and GoDaddy's results are: /web/conf/php.ini, I wonder if I can access it...

Gemigene

I cant find  php.ini on my server 

Are you with GoDaddy? If so, you can create your own php.ini file and upload it to all your Joomla directories.

I tried the .htacess file as described in the forums but it didn't work out for me, led me to a server error.

Gemigene

p.s. I would really like to use Joomla as a front end to my site but if I keep running into problems, chances are I'll just switch back to good old HTML programming.I've created quite a few HTML sites and hardly ever ran into problems.

you can contact me at robert dot_mccorkle at gmail _ dot com - i'm also on aim/google chat

No. My site is hosted by Contrast Hosting  how can i make a custom php.ini? 

Did you try asking their technical support to turn register_globals to OFF?

Gemigene