Warning: ini_set() has been disabled for security reasons

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
asadallahi
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 133
Joined: Thu Mar 30, 2006 8:42 pm
Location: IR.Iran
Contact:

Warning: ini_set() has been disabled for security reasons

Post by asadallahi » Mon Aug 25, 2008 6:45 pm

hi
i changed my host when i installed joomla in my new host site comes up but an error appears:

Warning: ini_set() has been disabled for security reasons in /home/memor/public_html/libraries/joomla/session/session.php on line 649


how can i fix it?
i installed joomla 1.5.4
http://www.itgate.ir =>The Gate to the Cyber World

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19659
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by dhuelsmann » Mon Aug 25, 2008 7:04 pm

This is not a Joomla issue. Your host has disabled the php function ini_set(). You will need to talk to them.
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

digismarts
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Aug 25, 2008 5:26 pm

Re: Warning: ini_set() has been disabled for security reasons

Post by digismarts » Mon Aug 25, 2008 7:07 pm

Also, please update to 1.5.6 as soon as possible due to the hacking problems sites have been experiencing!

User avatar
asadallahi
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 133
Joined: Thu Mar 30, 2006 8:42 pm
Location: IR.Iran
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by asadallahi » Mon Aug 25, 2008 8:38 pm

ok. thanks
i upgrade it to 1.5.6
but nothing changed !! :(

can you help me fix it?
http://www.itgate.ir =>The Gate to the Cyber World

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19659
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by dhuelsmann » Mon Aug 25, 2008 8:41 pm

asadallahi wrote:ok. thanks
i upgrade it to 1.5.6
but nothing changed !! :(

can you help me fix it?
dhuelsmann wrote:This is not a Joomla issue. Your host has disabled the php function ini_set(). You will need to talk to them.
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

User avatar
asadallahi
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 133
Joined: Thu Mar 30, 2006 8:42 pm
Location: IR.Iran
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by asadallahi » Tue Aug 26, 2008 9:19 am

any way to do it?
like writing some code in ".htaccess" file?
http://www.itgate.ir =>The Gate to the Cyber World

User avatar
serafix
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Mar 02, 2006 6:48 pm

Re: Warning: ini_set() has been disabled for security reasons

Post by serafix » Tue Aug 26, 2008 2:59 pm

asadallahi wrote:any way to do it?
like writing some code in ".htaccess" file?
Do this:

1. In you joomla root folder, create a file called "php.ini".

2. Edit that file and type "disable_functions =".

3. Save the file and refresh you website.

4. Enjoy every day... It never come´s back.

Serafix
Happy Joomling

Enjoy every day... It never come's back!

~ : )

User avatar
asadallahi
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 133
Joined: Thu Mar 30, 2006 8:42 pm
Location: IR.Iran
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by asadallahi » Tue Aug 26, 2008 5:13 pm

Do this:

1. In you joomla root folder, create a file called "php.ini".

2. Edit that file and type "disable_functions =".

3. Save the file and refresh you website.

4. Enjoy every day... It never come´s back.

Serafix
i did it but it does not work!
http://www.itgate.ir =>The Gate to the Cyber World

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19659
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by dhuelsmann » Tue Aug 26, 2008 5:24 pm

If your host is disabling functions for security reasons you are unlikely to be allowed to run your own copy of php.ini. Have you contacted your host at all??
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

User avatar
asadallahi
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 133
Joined: Thu Mar 30, 2006 8:42 pm
Location: IR.Iran
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by asadallahi » Tue Aug 26, 2008 6:23 pm

Yes
i contact them they finally accept my request and enable it

and it solved

thanks a lot for you help
http://www.itgate.ir =>The Gate to the Cyber World

mobiuzhost
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Sep 09, 2008 5:25 pm
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by mobiuzhost » Tue Sep 09, 2008 5:41 pm

Hello,

I am a network admin and I bring answers. First, creating a php.ini yourself and just adding disable_function is a bad idea as you should really pull a copy of the master php.ini. If you have access to your own server with (root) not jail shell access (also assuming it is a linux environment: Redhat or CentOS) you can type the following:

php -i | grep php.ini

The above command will tell you exact path for the true php.ini location. After running it, the system will blurb this to your screen:

root@host [/..]# php -i | grep php.ini
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini

So then we just go there: cd /usr/local/lib
Now we copy it: cp php.ini php.2
Now we move it to your root directory:

mv php.2 /home/username/public_html

Now we goto your root directory: cd /home/username/public_html
Now we rename it: mv php.2 php.ini
Now we restore ownership: chown username:username php.ini

Open it up and find disable_functions= If you see init_set listed then it is disabled. If it is there, it is enabled so just remove it then save.
-----

Most of us do not have the luxury of having root access to a machine, so you can ask your host to disable it. However, they will most likely tell you to get a life and put your support request on hold for hours till you give up. If they say no ask them if they can put a custom php.ini file in your root directory /public_html/ then either they can make that change or you regarding ini_set

UPDATE: Failed to mention that sometimes the custom php.ini needs to be placed within the directory of the calling script.

Hope this helps. Cheers!

- Justin
Mobiuz Digital Media
http://www.mobiuz.com

User avatar
bobthebob01
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 195
Joined: Fri Oct 07, 2005 1:02 am

Re: Warning: ini_set() has been disabled for security reasons

Post by bobthebob01 » Wed Nov 12, 2008 5:24 am

Woa, thanks mobiuzhost for your detailed and clear explanation. It's really appreciated.
It's nice to have network admins sharing their experience with every body in such simple and easy to understand words.

cheers for that.

just a quick one: i read in another thread on the french board that you can simply add "@" in front of every occurrence of the word "ini_set" in libraries/joomla/session/session.php
And it's sound strange to me.

Does anybody have a comment on that?

thanks

bob

User avatar
alavi nik
Joomla! Explorer
Joomla! Explorer
Posts: 344
Joined: Wed Sep 20, 2006 7:48 pm
Location: Tehran,Iran
Contact:

Re: Warning: ini_set() has been disabled for security reasons

Post by alavi nik » Wed Nov 12, 2008 10:04 pm

Hello

you must create php.ini and copy it into joomla root and administrator folder

good luck ;-)
Joomfa Team(Joomla farsi) ==> http://joomfa.org

User avatar
bobthebob01
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 195
Joined: Fri Oct 07, 2005 1:02 am

Re: Warning: ini_set() has been disabled for security reasons

Post by bobthebob01 » Mon Nov 17, 2008 7:45 am

thanks guys.

and indeed, on my server i had to copy php.ini in my administrator folder. it was not sufficient to have it at the root.

cheers

User avatar
EhabIT
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Wed Jul 22, 2009 12:02 pm
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by EhabIT » Wed May 05, 2010 1:32 pm

thank you guys this did help the problem :)

u_aus
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sat May 17, 2008 4:26 pm

Re: Warning: ini_set() has been disabled for security reason

Post by u_aus » Wed May 19, 2010 12:14 am

serafix wrote:
asadallahi wrote:any way to do it?
like writing some code in ".htaccess" file?
Do this:

1. In you joomla root folder, create a file called "php.ini".

2. Edit that file and type "disable_functions =".

3. Save the file and refresh you website.

4. Enjoy every day... It never come´s back.

Serafix
Nicely Done!!!! U Saves Lifes!!!

User avatar
Adamdg
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Fri Mar 12, 2010 3:21 pm

Re: Warning: ini_set() has been disabled for security reason

Post by Adamdg » Thu Aug 12, 2010 12:52 pm

bobthebob01 wrote:
just a quick one: i read in another thread on the french board that you can simply add "@" in front of every occurrence of the word "ini_set" in libraries/joomla/session/session.php
And it's sound strange to me.

Does anybody have a comment on that?

bob
I faced this problem after upgrading from 1.5.10 to 1.5.20:
"ini_set() has been disabled for... line 102, 105 and 688"

I did exactly what Bob said: just simply add "@" in front of those 3 line and everythings fixed.
Just don't know how to explain...
But it works!!!

By the way, adding php.ini file with "disable_functions =" doesn't work!
And if it were caused by your hosting, i suggest asking your hosting provider as the best solution.
A vasectomy means never having to say you're sorry :) :) -- Anonymous
http://langbian.net

User avatar
reggaebkk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 176
Joined: Mon Jul 14, 2008 1:39 pm

Re: Warning: ini_set() has been disabled for security reason

Post by reggaebkk » Mon Aug 16, 2010 5:59 am

Greetings,

This thread is most interesting and educative.

Still I was wondering, having used joomla for several years and noticing this ini_set enabling to be a security risk on my VPS, why doesn't joomla development team fixes it.

Not complaining of course (joomla is free :P), but it seems that they are so quick to react to security flaw and give so good advise on how to set servers the right way... why don't they solve this ini_set issue?

Kindly
Mat

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Warning: ini_set() has been disabled for security reason

Post by mandville » Mon Aug 16, 2010 9:05 am

reggaebkk wrote:Still I was wondering, having used joomla for several years and noticing this ini_set enabling to be a security risk on my VPS, why doesn't joomla development team fixes it.
one reason is a lot of people dont have access to php.ini and are on shared servers
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
reggaebkk
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 176
Joined: Mon Jul 14, 2008 1:39 pm

Re: Warning: ini_set() has been disabled for security reason

Post by reggaebkk » Mon Aug 16, 2010 9:38 am

Thanks for this reply Miss MandVille.
Still, not having access to php.ini for some users is not a reason why VPS users (and it is advised to run Joomla on VPS), should have to go and tweak libraries/joomla/session/session.php in order to have their joomla/vps run safely.
Knowing all this maybe there should be a option in configuration to manage this session.php tweak...
does that make sense?
or not at all?

Kindly
Mat

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9347
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by RussW » Sun Aug 29, 2010 9:01 am

Why?

ini_set, in itself, is not a security risk, if the server and php are configured correctly and with limits. The users cannot exceed what the admins set as a maximum, even if they try. So disabling ini_set is only "Security through Obscurity" not actually "Security"... on a properly configured server.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

CHCG
Joomla! Explorer
Joomla! Explorer
Posts: 309
Joined: Mon Sep 12, 2005 5:23 am
Location: Stockholm, Sweden

Re: Warning: ini_set() has been disabled for security reason

Post by CHCG » Fri Nov 12, 2010 12:41 pm

Just to follow up on this issue:

I received the same warnings as described in previous posts. The problem occurred suddenly and for no apparent reson. I solved the problem by adding @ to the mentioned lines 102, 105 and 655 in the sessions.php file in libraries/joomla/sessions.

What I would like to know is:

a) Why the problem occured in the first place (i.e. if the cause is Joomla-related after all)
and
b) If the remedy used (adding the @) has any security or other implications

Anyone's advise is most appreciated!

I am using Joomla 1.5.22 in a Linux environment.

atb
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Dec 03, 2010 8:48 pm

Re: Warning: ini_set() has been disabled for security reason

Post by atb » Fri Dec 03, 2010 9:04 pm

I doubt if this subject has gone away - I've applied the Joomla patch to take it to 1.5.22 on a Zymic host and this problem appeared. However there appears to be a worthy explanation at:
http://www.zen-cart.com/forum/showthread.php?t=121807
Summarizing: The "fix" by adding the @ only suppresses the PHP error messages and does not fix the problem. A solution is quoted, which relates to the ability to send e-mails, if the hosting comapny refuses to make PHP setting changes.
I am not yet in a position to have checked it out, but it seems worth checking out.

User avatar
Z9iT
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Fri Oct 14, 2011 8:15 am
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by Z9iT » Sun Dec 18, 2011 7:43 pm

mandville wrote:
reggaebkk wrote:Still I was wondering, having used joomla for several years and noticing this ini_set enabling to be a security risk on my VPS, why doesn't joomla development team fixes it.
one reason is a lot of people dont have access to php.ini and are on shared servers
I agree with you mandville, Shared hosting has its own repercussions.... I am also having such problem at the moment. Tough i have supressed the error message by adding // to those lines, however no one is able to login either into frontend, not into admin. Any Suggestions for this.
As a footnote, the website is working perfectly fine on my virtual LAMP server by turnkey linux. I know this mess has been made by my hosting provider, but they are not ready to co-operate. Is it possible to resolve this at all????
http://z9it.com....Bringing the best of www, in a gist...

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by leolam » Thu Dec 22, 2011 5:24 am

Z9iT wrote:I agree with you mandville
Why are you Necroposting? This is a over 12 month old and dead thread
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

tamermf
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Wed Feb 10, 2010 1:37 pm
Location: Cairo, EGYPT
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by tamermf » Sat Dec 24, 2011 2:00 am

Hello every body ,

The solution for putting a file ( php.ini ) is great ,
and it is better to allow you hosting provider give you a copy from this file and you can modify it and remove the part of "ini_set"

but be care to protect your website , it is not good to make your php.ini settings available for every one ,

with the upper solution any hacker can see your php settings from an easily link http://yourdomain/php.ini

Please every one , be care to set your file php.ini permission to be ( 640 )

This will prevent any one form see it and be available to download

Regards
Network EGYPT
Pioneers of Web Services in EGYPT
http://www.networkegypt.com/

User avatar
Z9iT
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Fri Oct 14, 2011 8:15 am
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by Z9iT » Sun Dec 25, 2011 7:19 pm

leolam wrote:
Z9iT wrote:I agree with you mandville
Why are you Necroposting? This is a over 12 month old and dead thread
My friend, recently i've been targetted with this... my host has done this sin on me, and now its been more than a month that i am trying to compensate this, however everything fails... none of my users including me can login either to frontend or backend... I was thinking to start a new thread, however i came across this... infact my host has also denied me with a copy of php.ini....
http://z9it.com....Bringing the best of www, in a gist...

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by leolam » Mon Dec 26, 2011 2:43 am

Z9iT wrote: infact my host has also denied me with a copy of php.ini....
change host than. waiting a month is no solution

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by PhilD » Mon Dec 26, 2011 1:28 pm

Many hosts will not give a 'copy' of the servers php ini file to you as you would not be allowed to make certain changes to the server anyway. This is especially true on shared hosting (including VPS which is still shared hosting) where you are unlikely to make certain changes to the php installation on the server.

In most cases though, you can create your own php.ini file with a certain common subset of php commands that is made available. Exactly what the subset of commands is will be determined by your host. Also, unlike htaccess files and in general, php.ini files for a site have to be placed in every single directory on your domain to be effective.

If your web host is proving to be lacking in certain skills, difficult to work with, etc. then it would be best to find a new host that does know how to properly set up a server, maintain the server and provide reasonable customer service.
PhilD

User avatar
Z9iT
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Fri Oct 14, 2011 8:15 am
Contact:

Re: Warning: ini_set() has been disabled for security reason

Post by Z9iT » Mon Dec 26, 2011 3:28 pm

Is there any standard php.ini file which i can download any use.. The server is running on cpanel
http://z9it.com....Bringing the best of www, in a gist...


Locked

Return to “Security in Joomla! 1.5”