Joomla! Discussion Forums

This is the discussion thread about this topic: Security Messages in Joomla 1.0.11

My Joomla Administrator site still showing PHP register_globals setting is `ON` instead of `OFF`

I follow the instruction to add below two code to my .htaccess and I totally not able to view my Joomla site.

The failure notice is:-

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

The code I added to .htaccess are:-

php_admin_flag register_globals off
php_admin_flag magic_quotes_gpc on

I removed this two lines and is back to normal. I have been trying php.ini and still not working. I spent about 2 days to get this thing fix but still the same.

Anybody can help me? I am newbie and not really know how to do this, have been using Joomla for 2 months.

Thank you for posting this, I think this info is so usefull, especially the "what does it do" part, that I'm going to translate now & post on the french forums -with your Ok, hoping it's not (c)  hackwar or joomla.org?!

Eyezberg, feel free to do so.

@tingtong
Its possible that your provider has configured your server in a way that these fixes wont work. In that case you have to ask your provider to switch it off for you.

Ok, thanks. If I swith it off, will that be possible some extension need it to be "ON" in order to function?

If my hosting provider had swicth it off, is that I no need to add the php.ini or .htaccess code anymore?

Yes, it can be possible that some of your extensions wont work, please look in the posting, I've added a link to a thread about extensions that wont work with register_globals and rg_emulation off.
When your provider does this for you, you don't need .htaccess and/or php.ini any more, yes.

Thanks & Danke, it's here
http://www.joomlafacile.com/content/view/34/61/

Reads itself very nicely.

Hannes,
following the publication of that translation, one user pointed out that in an .htaccess file, php_admin_flag and php_admin_value do not work!
These are to be used only server-side to change values which can be accessed only by the admin, so that you can change these later on a site by site basis with .htaccess.

It should instead be php_flag and php_value only.
Reference: http://www.php.net/manual/de/configuration.changes.php

Can you confirm this?

Sorry, this is an error on my side. I will correct that asap.

In the situation where the server settings can not be changed and the site can not be moved at this point, how can we turn off these warnings?

Simply telling someone to move servers because the one they are on is "crap" isn't too helpful.  :-(

Courtesy of Rey:

Go to: Modules -> Administrator Modules -> Quick Icons -> Security Check = Hide

Nice, thanks.

Just spent 20 minutes tracking it down and changing '1' to '0', though.  LOL.

Much appreciated, sir.

A real nice security option would be a module that checks if there is an "defined(...) or die(...)" at the beginning of an component file. Maybe the check comes with installation of an component. So an admin who has not much experience has the ability to see if an component maybe is a security risk.

Okay, so far I've tried everything with my php.ini file and .htacess file.



have been added to my .htacess file and saved



Have been added to my php.ini and saved. I've also made the changes to globals.php that were written in the security messages topic.

Still I keep getting the same Register Globals is set to on instead of off warning. I know that it's set to off. So is there anything I could've missed that for some reason keeps register globals (or makes joomla think) that register globals is on?

Maybe you just check in the administrator following point:

System -> System Info

there you switch to "PHP Info". There you will find the directives used by your domain. If you use virtual hosts you will see a Local Value and a Master Value.

Now search for the entry Register Globals and the Local Value of this entry. If this one is set to off, it is really set off.

Sometimes the provider has locked down the function that you would need to change those values with .htaccess or php.ini files in the directories.

Hmm, was able to fix it now.

kmekc, I did what you said and was able to find an entry for register globals that was set to on. I searched around my webhost's forum and found a topic related to register_globals and joomla.

Along with having register_globals set to off in the php.ini file, (which was already done). I was also told to put this code in my .htaccess file


Then, to put this code at the top of the exploitable file in question at the top right after the opening php tag


That seemed to do it. So, just throwing this out there in case anyone was having the same problems I was. Thanks!

And now I would like to ask you:

Is the file .htaccess the same as the htaccess.txt in the Joomla root folder on my Provider?
The same with php.ini: If I create my own php.ini and install it in the above mentioned folder, will I get finally the solution for:

PHP register_globals setting is `ON` instead of `OFF`

Thankx!

Alex

Note: some (most) hosts require to have php.ini in every (sub) directory.

Do you mean, if I create and save a document php.ini, containing only the two lines (or four):

register_globals = off
magic_quotes_gpc = on

and then install it in each folder and subfolder it will works?

Well, yesterday I tried only each folder, and I tought that would be enough...however, I'm going to try that!

Thank! 

I still getting the GLOBAL_REGISTERS ON

I tried to install the php.ini in each single folder and subfolder, but it doesn't work.

I will wait for some know-how...or inspiration! 

Thankx!

you need to  check that your host actually allow overide of php.ini, many do not.

I wonder if I'll ever be able to correctly install Joomla...

Until now, I just know that the main problem of the installation relates to

.htaccess and php.ini

I wonder also if the morphology of my .htaccess was right. I got a 404 after the installation in the Joomla main folder

Regards!

Hi

As a recent convert to Joomla and as someone who will be developing several sites using this excellent package, I too became a little concerned with the warning in the admin section advising PHP register_globals setting is `ON` instead of `OFF`

Having read through the comments and guidance in this forum and not wishing to get deeply involved in copying files and adding bits and pieces here and there I took the advice and approached my host about turning this setting to 'off' first.

The response was very interesting and by following the simple advice given, I have been able to resolve this security weakness by adding a single line of instruction to the sites (latest  Joomla version) .htaccess file

I additionally modified the global.php to 'off' to complete the exercise.

The code I have added to the .htaccess file is as follows

AddType x-mapp-php5 .php

This obviously only applies to a host that is providing php 5 within their service, however many now offer both php 4 and 5.

given that the code in joomla is written with the .php extension and it appears that php 5 needs this to be .php5

Whilst the change to Joomla's core is perhaps a major undertaking, is possible to make this compatible with the needs of php 5 as this seemingly set up with register_globals 'off' by default. Maybe this line of code could be added as standard to the base htaccess.txt file in the shorterm and perhaps a version of Joomla be dedicated to use with PHP5?

As has been suggested in many of the moderator's replies if the host doesn't offer support then perhaps a change of host is a wise step.

For reference my host is 1&1

I now have a admin screen without those worrying red characters at the bottom telling me to take action on security!

I hope this adds something to the debate about security against site hacks.

One question that this raises is, how doe's this affect third party extensions and templates?

My Joomlashack templates have not been affected but are the other items at risk, I wonder?

David

PHP 5 does not need files to be named .php5.  This is just a convention that your hosting provider has taken on.  In reality, PHP doesn't care what the files are named as long as you configure it to parse them you can name your files .foobar if you wanted to.



See above note, this is not a standard, just a convention that your host uses.  Hence, there is no reason to change the core or make a separate version.

Thanks for your reply Rob

Not being someone who would usually delve deeper than necessary into such issue's. I am I guess like many who visit the forum, a software user rather than a developer. In this case we have to resolve such issues when they appear and as this is problem that needs to be resolved to make any Joomla based site secure we need support from you guys.

I rather naively assumed the need for the added character on the extension in PHP5, so your point has straightened me out on that so my question about modifying the core is also resolved and therefore withdrawn.

I suppose I should have thought harder before asking, given the way Joomla is crafted, my apologies.

Having sought you support through the previous posts and followed this through with the host and been given a very simple way to resolve my problem, my question is now:

(1) Will this work in a generic way if added to the sites .htaccess file and used on any host server or will it be host specific?

(2) Will such an addition in this way affect Joomla if there is no PHP5 on the server?

(3) Will it affect the performance of third party extensions in either case above?

Given that it was a very simple way to resolve my issue with the problem I posted the information for discussion as it saved a heck of a lot of work and worry compared to some of the options discussed. If there is a positive to all of the questions above it may help others who don't have the skills or wish to delve deeper than changing '1' to '0' or adding a line of code, as the risk of breaking the site is always in the back of their minds.

I suspect many have to ignore the warnings for fear of the work and risk involved in overcoming it and put their site on line with a security weakness, or do not use such a superb CMS system because of the perceived difficulty of securing it.

I wonder how many basic users do not even modify the htaccess.txt by renaming it once uploaded, in which case this would not work anyway, therein lies another issue to be resolved perhaps?

I can only hope that my experience is of use in providing an another possible answer to resolving this security issue, particularly if there is a positive answer to the three questions above.

If nothing more, it will answer the question for the users who use the same host as myself and underline the benefits of asking the Host before jumping in deep too quickly.

Look forward to your reply and continued support of a great bit of software.

Regards

David

David,

No need to apologize

As for your 3 questions, I will answer them as best I can but to be honest, I am not sure I understand what you are asking with the second question.

1.  No, this is host specific.  There are many ways that a web server can be configured, this is just one of the many.  There are some other more general configuration options that you can use and are documented in other threads on this forum, so I will not repeat them here, but again, those are dependent on certain configurations and environments. 

2. In general, it won't affect the Joomla! core however it may cause some negative side effects for 3rd party extensions.  There is a thread that is trying to document many of the extensions that are affected on this forum as well.  Be warned, it is a large, overwhelming thread but Websmurf, the thread starter, is doing a fair job of keeping a summary of the information in the first post.  You can find that thread here: http://forum.joomla.org/index.php/topic,86525.0/topicseen.html.  Joomla! should work with PHP 4 or PHP 5.  It really doesn't matter much as it has some backwards compatability libraries that "back-port" behavior in newer PHP versions so that they are available on older versions.  Assuming a 3rd party component is written correctly, it should work as well in either situation.

3.  Performance... you won't/shouldn't notice any changes in performance.  There is theoretically performance differences but I think you would have a hard time noticing them.

Well, for a long time, Joomla!'s htaccess file was only used for SEF (search engine friendly) URL implementations.  It wasn't until 1.0.11 that it contained anything directly related to security.  However, you have to be careful when you rename the file if you are not using SEF on your site as it is still on by default in the htaccess.txt file.  There are some other discussion threads that discuss this matter and if you search the forums you will probably be able to find them.  I would offer the link but I don't have it handy, sorry.

I hope that helps, Rob

Hi Rob

Thanks for the quick reply.

The second quetion was to understand if the instruction I had added to my .htaccess file would be a problem if there was no PHP5 on the server and if this would create an error breaking Joomla? I ask this in context with the first question as I wondered that if this was not host specific, it could well help Joomla users like myself with limited coding skills to make their site secure.

Regarding the SEF element, I will take a look at the post(s) to understand this better, but in the meantime, the version I am using is the 1.0.11 and if i am not mistaken the use of the .htaccess file is recommended with this version due to the security elements included?


The immediate question is SEF a functional default component in this version, I have assumed it is as everything appears to work fine on the test site?

Regards

David

No, it isn't on by default if I remember correctly.  I don't think it could be as you would get 404 errors until the htaccess.txt was renamed appropriately.  To enable SEF you need to do two things, rename htaccess.txt to .htaccess and enable it in the Global Configuration options.  To disable you disable it in the global config and comment out the related lines in .htaccess.  You should be able to figure out which lines they are (about 5 of them) just be reading the file as it states pretty clearly where they are.  Just put a # sign in front of them like the other comment lines.  If you are unsure, try a search.  I know I have answered this before