any recommendations for locking down php.ini for joomla 3+?

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
mikeali
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Tue Oct 16, 2012 11:07 pm

any recommendations for locking down php.ini for joomla 3+?

Post by mikeali » Mon Nov 05, 2012 8:42 am

Hi all,

Are there any articles that can help me to understand what functions need to enabled/disabled on php.ini to maximize my php security?

I found the following article but it's recommended for older version of joomla and I'm not sure if I should follow this or not?

http://kb.siteground.com/article/Recomm ... urity.html

Please advise.
Last edited by imanickam on Tue Nov 06, 2012 2:47 am, edited 1 time in total.
Reason: Moved topic » from General Questions/New to Joomla! 3.0 to Security in Joomla! 3.0

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: any recommendations for locking down php.ini for joomla

Post by RedEye » Thu Nov 08, 2012 5:46 am

mikeali wrote:I found the following article but it's recommended for older version of joomla and I'm not sure if I should follow this or not?
You should not
register_globals -> default to off since php4.2, now deprecated and removed in 5.4
magic_quotes_gpc -> deprecated 5.3, removed 5.4 and Joomla3 requirement is off not on
allow_url_fopen -> some say turn it off, some say it`s ok being on blabla,
my setting is on and allow_url_include is off
expose_php -> well hide the php version with this, that you use php on the server everybody knows when looking at your site

and pls dont take this as an advise! there are more than 4 settings when it comes to security and there where always more than 4!
So if you are the admin of your live server, my advise is to get a managed one

User avatar
jdbdrwho
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Jun 20, 2012 5:47 am
Location: Goshen, Utah, USA
Contact:

Re: any recommendations for locking down php.ini for joomla

Post by jdbdrwho » Wed Nov 14, 2012 1:30 am

Put this into your .htaccess file. You can use this same method to prevent access to a file through the browser for any files on your hosting account.

Code: Select all

<Files php.ini>
  order allow,deny
  deny from all
</Files>
============
John Boone
http://www.boonewebmaster.com - Web Design

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: any recommendations for locking down php.ini for joomla

Post by RedEye » Wed Nov 14, 2012 3:05 am

You just made my day :laugh:

User avatar
HannahCornwall
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Tue Nov 20, 2012 9:03 pm
Location: Swindon, Wiltshire, UK

Re: any recommendations for locking down php.ini for joomla

Post by HannahCornwall » Wed Nov 28, 2012 9:29 pm

jdbdrwho wrote:Put this into your .htaccess file
oohhh Trust The Doctor! Do you get that on TV in the US?

mikeali
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Tue Oct 16, 2012 11:07 pm

Re: any recommendations for locking down php.ini for joomla

Post by mikeali » Tue Jan 15, 2013 7:39 am

Thank you all

User avatar
Davv
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sat Nov 10, 2012 6:17 pm
Location: Sampaloc

Re: any recommendations for locking down php.ini for joomla

Post by Davv » Sat Feb 16, 2013 4:41 am

<Files php.ini>
order allow,deny
deny from all
</Files>
Yup, that's the most popular way of doing this. ;)
It will show you a 403 message.

Another way of doing this is to make chmod 600 on that file.

I prefer a better way though:
I match it on a regex and show a 404: ;D

Code: Select all

RedirectMatch 404 .*php\.ini
This would also help if you got some copies in different places.
Some servers could create php.ini.bak/bkup files, from which the first method would not protect you :geek:
My laminine blog @ http://mlmvikings.com/

sovainfo
Joomla! Exemplar
Joomla! Exemplar
Posts: 8808
Joined: Sat Oct 01, 2011 7:06 pm

Re: any recommendations for locking down php.ini for joomla

Post by sovainfo » Sat Feb 16, 2013 1:46 pm

You also have one for php5.ini ?
Issue with migrating? Include logs/joomla_update.php in your report!
Blank screen? Verify pagesource for HTML code (javascript error)
Installation failing on populating database? Install with set_time_limit(0)
Document your customizations!

User avatar
jdbdrwho
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Jun 20, 2012 5:47 am
Location: Goshen, Utah, USA
Contact:

Re: any recommendations for locking down php.ini for joomla

Post by jdbdrwho » Mon Feb 18, 2013 4:32 am

Davv wrote:
<Files php.ini>
order allow,deny
deny from all
</Files>

Code: Select all

RedirectMatch 404 .*php\.ini
Google Looks Down on 404 pages. 404 pages are not SEO friendly. I use "php 5.4 Single ini," which means I only have one php.ini file. I keep my web site data clean of extra garbage.

And I write perl scripts to help me with verify that all my php scripts are up to date, WordPress and Joomla. I love to write perl scripts ;)

Best protection against getting hacked is to keep your websites up to date and don't use any plugin or component just because it has some fancy bells and whistles. Best to check out the Joomla vulnerability list before installing a particular component.
======
In answer to a previous question about DrWho. (Doctor who fan since the early 70's.)

Yes I get Doctor Who from Amazon.com on my HD TV :D
============
John Boone
http://www.boonewebmaster.com - Web Design

User avatar
jdbdrwho
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Jun 20, 2012 5:47 am
Location: Goshen, Utah, USA
Contact:

Re: any recommendations for locking down php.ini for joomla

Post by jdbdrwho » Mon Feb 18, 2013 6:51 am

sovainfo wrote:You also have one for php5.ini ?

Code: Select all

<Files php5.ini>
order allow,deny
deny from all
</Files>
This code you can use for any file you which to block access. The .htaccess file can be used in various methods to secure your website. However with the use of FTP (File Transfer Protocol) connections, you can access any file as the .htaccess file does not safe guard against ftp access.

Changing file permissions really doesn't do much of anything to protect yourself from hackers. You can set the file permissions to 000 - no rights at all. If I have access to the file system I can issue a chmod command to change the permissions to any setting I want, including 777 which is full rewrite and execute permissions.

The "deny all" .htaccess to deny access to a particular file has the same pitfall. If a hacker gains access to your file system. Then the hacker can access your files and can change the contents of the .htaccess file, change permissions and can destroy files, rewrite code and hack all your files.

The best protection -- Is to always keep your web content up to date. Be careful of which plugins and components you install and --- ALWAYS --- Backup your web content.

Never rely on your hosting provider to do your backups for you. Do your own backups and store them offline where you can restore a backup if needed.

http://docs.joomla.org/Security
http://docs.joomla.org/Category:Security_Checklist
http://docs.joomla.org/Vulnerable_Extensions_List

Do not use anything on the Joomla Vulnerability list that shows up as "Red". If you can, avoid adding too many components. If you can get by without a particular plugin, it is better than expanding your potential php vulnerability.

Check your back-end updates of Joomla, components and plugins. As well as any other php script on your hosting account.

One php vulnerability that grants access to the file system is all that is needed to get your site hacked.

:pop
============
John Boone
http://www.boonewebmaster.com - Web Design

sovainfo
Joomla! Exemplar
Joomla! Exemplar
Posts: 8808
Joined: Sat Oct 01, 2011 7:06 pm

Re: any recommendations for locking down php.ini for joomla

Post by sovainfo » Mon Feb 18, 2013 7:25 am

Even with access to the filesystem security still applies. So permissions are relevant. You can only do things you are allowed to. FTP doesn't give you access to everything. So, you can only change permissions when you are allowed to.

And yes, the best protection on your frontdoor is useless when you leave the door to the garden open!
Issue with migrating? Include logs/joomla_update.php in your report!
Blank screen? Verify pagesource for HTML code (javascript error)
Installation failing on populating database? Install with set_time_limit(0)
Document your customizations!

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: any recommendations for locking down php.ini for joomla

Post by leolam » Tue Feb 19, 2013 8:38 am

HannahCornwall wrote:oohhh Trust The Doctor! Do you get that on TV in the US?
Hello: Genaecology is stated in his signature and not gynaecology. ;-)

Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

harry888
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Aug 15, 2013 12:06 pm

Re: any recommendations for locking down php.ini for joomla

Post by harry888 » Wed Sep 25, 2013 11:05 am

RedEye wrote:You should not
register_globals -> default to off since php4.2, now deprecated and removed in 5.4
magic_quotes_gpc -> deprecated 5.3, removed 5.4 and Joomla3 requirement is off not on
allow_url_fopen -> some say turn it off, some say it`s ok being on blabla,
my setting is on and allow_url_include is off
expose_php -> well hide the php version with this, that you use php on the server everybody knows when looking at your site

And dont forget to disable remote file execution. An attacker can open files from remote server and execute any PHP code. This allows them to upload file, delete file and install backdoors.

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: any recommendations for locking down php.ini for joomla

Post by RedEye » Wed Sep 25, 2013 5:27 pm

harry888 wrote:And dont forget to disable remote file execution.
Hi harry, what is the name of the config var I have to set for this?

harry888
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Aug 15, 2013 12:06 pm

Re: any recommendations for locking down php.ini for joomla

Post by harry888 » Thu Sep 26, 2013 2:36 am

allow_url_include = 'off'

This is a setting available in php 5.2 and above. See more here:
http://phpsec.org/projects/phpsecinfo/t ... clude.html

erfahrungen
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Oct 10, 2013 11:01 am

Re: any recommendations for locking down php.ini for joomla

Post by erfahrungen » Sat Oct 12, 2013 9:56 am

This option is disabled by default usually.

harry888
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Aug 15, 2013 12:06 pm

Re: any recommendations for locking down php.ini for joomla

Post by harry888 » Wed Oct 16, 2013 5:00 am

erfahrungen wrote:This option is disabled by default usually.

Thats right, but don`t forget that most attacks are only possible because of outdated scripts and extensions and misconfigured servers.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: any recommendations for locking down php.ini for joomla

Post by leolam » Wed Oct 16, 2013 5:16 am

allow_url_include = 'off'

Is not available anymore in since cPanel distro's 11.34.xx

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: any recommendations for locking down php.ini for joomla

Post by RedEye » Tue Nov 19, 2013 8:54 pm

Uh some new replies on this funny thread, I should enable notification here again^^
harry888 wrote:allow_url_include = 'off'
This is a setting available in php 5.2 and above. See more here:
http://phpsec.org/projects/phpsecinfo/t ... clude.html
Thx for taking the time to answer this, even if you already quoted this config var from my post.
erfahrungen wrote:This option is disabled by default usually.
You can strip that "usually" :)
leolam wrote:allow_url_include = 'off'
Is not available anymore in since cPanel distro's 11.34.xx
Finally a useful information here, thx Leo :)
Is there a post somewhere how this is now handled in cPanel, or did they just cut it out without the ability to enable it? Didn't used cPanel for a long time now.


Locked

Return to “Security in Joomla! 3.x”