Joomla! Discussion Forums

Hi Rob

You are correct it is 'off' by default

Interestingly having amended the .htaccess and renamed it on the server, seemingly satisfactorily, indicated by the removal of the safety warning, by now turning the SEF option 'on' I then get a '404error' when going to the site?

Is this a result of adding the new instruction to the .htaccess file?

Regards

David

I think the advise is good and I appreciate it,   but how to implement a solution is a bit vague

For instance
where is php.ini  ? I don’t seem to have one.

Also

What does the above statement mean? "These files can not be read from the web"  well I can read mine, infact I can right click and edit it in my ftp client or download it and change it.

"but you can rename a file to .htaccess" what? rename a file from .htaccess to .htaccess  why, why would anyone do that?

Every line in my .htaccess starts with a #  should I precede the lines below with a # ? because when I don’t my site wont work.


you say

What configuration file?   Specifically what are the files called ?

Also if I ask my hosting provider to turn globals off perhaps my joomla site will not work then I will have to raise another ticket to get globals turned back on.


So this is my problem:

I have the following 2 messages in my admin
PHP register_globals setting is `ON` instead of `OFF`
Joomla! RG_EMULATION setting is `ON` instead of `OFF` in file globals.php

Also It seems that some people can join my site without actually visiting it
New members have been created Names like “diet pills” and “free ringtones”

When I look at the member details they have no last visited date.

I think register globals thing has something to do with it. but I can not make any sense of this thread or the one it relates to.

The thing is hackers are targetting Joomla and all the help and advice seems to lead to this thread and we need more than one thread for this.

I can't tell you where your php.ini is, since this can be located in a hundred places.

Type into your browser "http://youradress.com/.htaccess". You wont be able to read it from the web. FTP is something different.

You sometimes can't edit these .htaccess files via ftp, thats why you could create a htaccess.txt on your computer, copy it over to the server and then rename it locally.

if you put a # before something, it is commented in this file. This means that everything in that line behind this character will not be interpreted and you are effectively switching the command used on that line to off. When your site does not work when using these two lines, you exactly have the situation why I wrote "some" and not "all" can be configured with these .htaccess-files. This is a feature your provider has to allow you to do.

The same as with the php.ini. These files can have a multitude of names and can be situated in equally as many folders. I just can't tell you which name the file has or where to find it, since this is not fixed and the same on every server.

Yes, you *may* have problems with some extensions that need register_globals turned on. But these specific extensions are so damn insecure, that it would be a wonder that you haven't been hacked allready. TURN IT OFF! Using those extensions is like driving with a car without brakes. Its not a question if you crash but just when.

On the emulation, please read my original thread again. I explained where to turn it off.

About the users registering on your site: This has nothing to do with register_globals or anything. This is expected behaviour. The users register and only when they log in, they get a "last visited" date. Since the spammers using your registration form are not logging in, there is no "last visited" date available to the program. Easy as that.

About your last statement: You have noticed that you are in the security forum, right? This forum alone has over 34 pages of listed threads with the topic security. Also, there are literally hundreds of postings about register_globals and rg_emulation in this forum alone, not counting the hundreds writing such stuff into general questions, etc. There *is* more than one thread about this.

okay the RG_emulation thing is done

but changing .htaccess isn't working I've tried it on 2 of my sites

I have one very new site without any 3rd party extensions loaded

this is what I get when I add your line to .htaccess
this is what I get every time.


This is the bottom of my .htaccess file every line above this starts with #

Please read the above statement again. I specifically wrote "SOME" can be configured this way, NOT all. You are one of those people that can't and where these config values can NOT be set by setting this in a .htaccess file. Ask your provider to turn it off.

See, this is wrong... I am a provider playing with Joomla and am about to recomend agaisnt it.  None of the suggestions work other than turning it off.  However if I do hundreads of scripts by my clients no longer work.  thats not good for a business practice.  I would rather tell my clients to find another solution or program.

Yes, and airbags kill people and thus its better to not use them. Sorry, running a server with register globals = On is careless and trying to reason that other, badly coded scripts don't work if turned off, is the same as if I say you don't need a safety belt or an airbag when your driving 120 miles/hour in your Fiat Punto...

Ive been running like this for 4 years, noissues or problems.  If this were such common practice, why so many issues with peple having this problem where hosts wont change it because it causes hundreads of scripts to become broken.

thats all i am saying.  If it were so common, I guess there wouldnt be so much confusion and or threads regarding this.  At this point, Joomla is about off of our servers radar.  Sad though

Erm.. sorry to butt in, but surely the problem is that your scripts are badly coded?




Quote from http://forum.joomla.org/index.php/topic,93640.0.html

Your scripts break because they aren't coded to the right standard. End of story.

All Joomla is doing is notifying you of the security risk. What's wrong with that?

I have the same problem some of you have in which when I run joomla_hisa_en.php i get the message stating that my PHP register_globals setting is `ON` instead of `OFF`.  I check in the admin backend System --> System Info and it tells me Joomla! Register Globals Emulation: OFF and Register Globals: OFF.  I also check my php.ini file and it says its off.  Is it really off or on?

Also, when I run joomla_hisa_en.php the report tells me my configuration.php file is writeable and is in red, however the side panel reads... "Your configuration.php is not writable. For security this is good, however, you will no longer be able to use Joomla! to modify the configuration online."  This is most likely an error in the coding of joomla_hisa_en.php, right?

This is really getting me a headache.  Can anyone else tell me why I might be getting the register globals is ON message??  I'd really appreciate it.  Thanks in advance.

FYI, I spoke to my hosting company (bluehost) and they say its off in the php.ini file and have no clue why the joomla_hisa_en.php is reporting otherwise.