The Joomla! Forum ™

Quick Icon for Joomla Update Says "Joomla is up to date" with 2.5.1 and 2.5.4

If I goto extension manager -> updates, purge and check for updates I get this message

I can simply enable allow_url_fopen but this is what my host has to say about it.

What uses allow_url_fopen is it just the Joomla core? or will each extension use it as well. Will it be safe to activate it?

This has been bashed about very extensively within the security forums and elsewhere. The following is from a post months ago I made. I can offer the following and it may help others if nothing else. The thing hosts should do is disable url_include as this will disable the ability to include remote files using the include() function in PHP. Disabling allow_url_fopen breaks many things on many sites and is a cop out (INMO) for hosts that want to be lazy.

From previous postings, there is or was big discussion (in June I think) as to alternatives. It does not appear there are many alternatives except to update manually if you can not turn on the allow_url_fopen on your domain. See the bottom of this post for how to enable allow_url_fopen on your site.

Now before anyone tries to start a flame war with what I am about to say please read and understand all of the next paragraph below.

If allow_url_fopen is on in the server you definitely want allow_url_include to be set to Off, this mitigates many of the risks of allow_url_fopen.

However, because it is possible that not all versions of PHP have allow_url_include, the best practice for many is to just turn off fopen. The curl module can also probably do the job, and refactoring the Joomla to use curl and disabling allow_url_fopen may deter at least the least determined cracker.

The problem is curl is not always enabled on every server.

In the meantime you can try the following way to attempt to turn on allow_url_fopen and then remove the line/file when done updating or just update manually as I stated above.

Create a file called php.ini containing the line (or add this line to an existing php.ini file in the Joomla administration directory)

allow_url_fopen = 1

Now save this ini file in the Joomla "administration" directory and try running the update.
It it is successful, then you can use this method, otherwise you will need to do the manual method.

Manual method IF YOU ARE ALREADY ON SOME VERSION OF 1.7.

* Make a backup of your site files and database just to be safe.
* Download the desired update package. I recommend the tar.gz update package.
* FTP the update package to the root of where you have Joomla installed. It must be placed where you installed Joomla or it will not work.
* Log in to your domains Control Panel. This can be C-panel , DirectAdmin, etc.
* Using the control panels file manager, navigate to where Joomla is installed. You should find the update package you just uploaded there.
* Select and extract the package.
* This will add/overwrite any core files in the Joomla core that are new/changed in the update following the structure of Joomla.
* If all went well, you are now updated to the latest Joomla version manually.

Notes:

Delete the update package from the domain when done.

The tar.gz file is recommended because not all servers file managers will unpackage zip files, but most will unpackage a tar.gz file. If it won't work for you, then by all means substitute a zip update package.

You can not (or should not) use any Joomla extensions to do this, unexpected results may be the result. An exception is an extension designed specifically to handle updates as it is unlikely to use anything that may be updated within the core.


***********************************
This is from your own link on how to enable it on your server:
***********************************
Workaround

You can enable 'allow_url_fopen' by editing your php.ini file. The process is very straightforward; it is as simple as including the following line to your own php.ini file at /home/00000/etc/php.ini. If you are just starting to use a custom php.ini file, you may need to also change the memory_limit value.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

PhilD, thanks for the info, I know that include of a URL (off site) file is disabled, I tried it once and it was blocked.

I was not 100% sure about enabling fopen across ALL my domains, so I will try the php.ini file within the site and see if that works. if it does great, if not, I think I should be safe to just enable it across the board. (I did see and enable it momentarily to do an update, but if during the update is the security vulnerability that is of no help)

Am I relying on just Joomla to handle the command, or all installed extensions?