secure it with php.ini

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
Pumuckl
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jul 11, 2006 12:37 pm

secure it with php.ini

Post by Pumuckl » Tue Jul 11, 2006 12:41 pm

Hi,
I don't know, whether you know this, but you can additional secure your Joomla with a php.ini in each directory or you main php.ini if you've an own server:

------------snip------------------
allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
------------snap------------------

Thanks for your attention

User avatar
Vish
Joomla! Explorer
Joomla! Explorer
Posts: 382
Joined: Mon Aug 22, 2005 5:43 pm
Contact:

Re: secure it with php.ini

Post by Vish » Tue Jul 11, 2006 7:25 pm

Can the development confirm this for us?
Will this have any problems that we can foresee?
Why doesn't development include this in the Joomla distribution itself?
--Vish "Still Learning"

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Wed Jul 12, 2006 1:54 am

You have to have PHP configured to look for these extra php.ini files which most hosts probably don't do.  It is not included in the default install because it is not a common solution.  Most PHP developers recognize the potential for misuse of register globals and choose not to use them, it is better to have them turned off completely for the whole server and that is what we recommend.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
Pumuckl
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jul 11, 2006 12:37 pm

Re: secure it with php.ini

Post by Pumuckl » Wed Jul 12, 2006 5:42 am

But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Wed Jul 12, 2006 5:54 am

Pumuckl wrote: But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?
PHP will not automatically read the vaules from any file called php.ini.  PHP has to be configured in the core php.ini file to scan other directories for more ini files.  By default, it only scans the extensions directory for other ini files.  Some hosts allow the users to override the configuration of the core php.ini via this method but as far as I am aware it is not a very common practice.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
albi
Joomla! Explorer
Joomla! Explorer
Posts: 273
Joined: Fri Aug 19, 2005 12:47 pm
Contact:

Re: secure it with php.ini

Post by albi » Wed Jul 12, 2006 5:57 am

RobS wrote:
Pumuckl wrote: But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?
PHP will not automatically read the vaules from any file called php.ini.  PHP has to be configured in the core php.ini file to scan other directories for more ini files.  By default, it only scans the extensions directory for other ini files.  Some hosts allow the users to override the configuration of the core php.ini via this method but as far as I am aware it is not a very common practice.
I can overide the php.ini file.

Is this a solution that i can use for a more secure Joomla?
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Wed Jul 12, 2006 6:12 am

If your host has register globals on I would suggest disabling it if you can by a php.ini override.  I don't know other than that, I don't mess with the settings of PHP very often to be familiar with more secure/less secure options (aside from register globals, obviously).
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
Pumuckl
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jul 11, 2006 12:37 pm

Re: secure it with php.ini

Post by Pumuckl » Wed Jul 12, 2006 6:19 am

I can overide the php.ini file.

Is this a solution that i can use for a more secure Joomla?
Yes, this will secure your joomla!
But check out, whether all function of 3rd party addons or components will work after this.
You have to insert the php.ini file in each directory, it does not work recursive!
And you didn't need to use the parameter "phpinfo", only if you don't want to show the user your php-configurations.
I've used it and I see, that joomla works still fine after I inserted the php.ini.
Try it!

if you're able to override the global php.ini, please add "php_value register_globals off", too

php.ini:
-------------snip-------------
allow_url_fopen = OFF
php_value register_globals off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------
Last edited by Pumuckl on Wed Jul 12, 2006 7:25 am, edited 1 time in total.

User avatar
albi
Joomla! Explorer
Joomla! Explorer
Posts: 273
Joined: Fri Aug 19, 2005 12:47 pm
Contact:

Re: secure it with php.ini

Post by albi » Thu Jul 13, 2006 7:22 am

Do i need to include php.ini also on images folder???  :(
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania

User avatar
Pumuckl
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Jul 11, 2006 12:37 pm

Re: secure it with php.ini

Post by Pumuckl » Thu Jul 13, 2006 7:32 am

albi wrote: Do i need to include php.ini also on images folder???  :(
No, because there are no php-files

emagin
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 136
Joined: Sun Sep 11, 2005 7:46 pm
Location: san francisco, ca usa

Re: secure it with php.ini

Post by emagin » Thu Jul 13, 2006 5:39 pm

I have joomla sites hosted at site5, which runs PHP in cgi mode, supposedly for security.
The default php.ini for the server runs with register_globas=off

To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!

A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script

http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete


I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.

So the custom settings would be:

; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0

And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script.  (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)
Last edited by emagin on Thu Jul 13, 2006 6:26 pm, edited 1 time in total.

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: secure it with php.ini

Post by nathandiehl » Tue Jul 25, 2006 1:14 pm

emagin,
thank you very much for links to those scripts. they were very helpful!
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

krbmedia
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Oct 23, 2005 6:29 pm

Re: secure it with php.ini

Post by krbmedia » Tue Jul 25, 2006 2:00 pm

emagin wrote: I have joomla sites hosted at site5, which runs PHP in cgi mode, supposedly for security.
The default php.ini for the server runs with register_globas=off

To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!

A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script

http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete


I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.

So the custom settings would be:

; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0

And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script.  (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)

If I use shared hosting how do I get to my servers php.ini file?

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: secure it with php.ini

Post by nathandiehl » Tue Jul 25, 2006 5:20 pm

create a new php file with teh contents:



its results will give you the location.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

emagin
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 136
Joined: Sun Sep 11, 2005 7:46 pm
Location: san francisco, ca usa

Re: secure it with php.ini

Post by emagin » Tue Jul 25, 2006 6:47 pm

The second link listed explains how to copy your ini file.

emagin
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 136
Joined: Sun Sep 11, 2005 7:46 pm
Location: san francisco, ca usa

Re: secure it with php.ini

Post by emagin » Mon Jul 31, 2006 4:18 pm

Also, don't forget to run your copy php.ini  script after each component install in Joomla.
There are several components which write data in directories. If there is an exploit of that component (like a forum component, etc.) and you don't run the copy php.ini script to refill those new directories, you could be exposed.

Brandito
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Tue Aug 01, 2006 4:28 am
Contact:

Re: secure it with php.ini

Post by Brandito » Sat Aug 05, 2006 7:13 pm

emagin wrote: Also, don't forget to run your copy php.ini  script after each component install in Joomla.
There are several components which write data in directories. If there is an exploit of that component (like a forum component, etc.) and you don't run the copy php.ini script to refill those new directories, you could be exposed.
Hey emagin, thanks for the script. I am a little confused on how I run the copy script though?? I uploaded both the copy and default script from the links you gave me. And I named them, php.ini and multiply-php.ini. I typed the latter in my browsers address bar, but it just gave me an option to save the file. ???

Is there some kind of program I need to install or use? Could I PM you my scripts so you could have a look at them?

Thanks, Brandon.
www.hdtvinnovations.com - HDTV Innovations, your ultimate HDTV headquarters.

"I like mornings .. I just wish they were later in the day" - Me.
"'Techmology' what is it all about" - Ali G.

User avatar
Hal
Joomla! Apprentice
Joomla! Apprentice
Posts: 30
Joined: Fri Aug 19, 2005 11:24 pm
Location: Duisburg / Germany
Contact:

Re: secure it with php.ini

Post by Hal » Sat Aug 05, 2006 11:49 pm

Code: Select all

disable_functions =  show_source,exec,shell_exec,wget,proc,passthru,system,popen,proc_open,escapeshellcmd,escapeshellarg 


silexian
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Fri Sep 02, 2005 9:24 pm

Re: secure it with php.ini

Post by silexian » Thu Aug 17, 2006 9:04 am

Hello all

i would like your following ini code "translated" into the .htaccess file.
Do you know the equivalence ?

Code: Select all

register_globals = 0
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
allow_url_fopen = 0
magic_gpc_quotes = 0

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: secure it with php.ini

Post by Beat » Thu Aug 17, 2006 9:54 am

silexian wrote: Hello all

i would like your following ini code "translated" into the .htaccess file.
Do you know the equivalence ?

Code: Select all

register_globals = 0
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
allow_url_fopen = 0
magic_gpc_quotes = 0
I can't agree with magic_gpc_quotes = 0 being more secure than magic_gpc_quotes = 1...

For added security you really should have magic_gpc_quotes = 1

This avoids most sql injection attacks for poor code (or stupidly fergotten escapings) and all joomla and most extensions know how to handle it correctly.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
wshealy
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Jan 19, 2006 4:12 am

Re: secure it with php.ini

Post by wshealy » Tue Aug 29, 2006 3:10 am

Guys
Do you have to mod the copy script? I changed the get php script and it works like a charm but my
copy script says Error - no source php.ini file even with the new php.ini in my joomla directory.
Thanks
W
W

bret381
Joomla! Explorer
Joomla! Explorer
Posts: 354
Joined: Sat Jun 17, 2006 5:07 pm

Re: secure it with php.ini

Post by bret381 » Tue Aug 29, 2006 4:30 am

ok, I've got the location of php.ini on my server, but how do I read the contents to add it to my new php.ini file, or am I just reading this wrong?

miggalvez
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sat Jul 01, 2006 4:00 pm

Re: secure it with php.ini

Post by miggalvez » Tue Aug 29, 2006 7:34 am

I asked my hosting server to turn register globals to off and they gave me this answer:
You can turn register_globals off by writing the following code (line) in an .htaccess file which is under public_html.
--------------------------------------------------------
php_flag register_globals off
--------------------------------------------------------
Is this true? Does it affect all subdirectories under the public_html directory?

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Tue Aug 29, 2006 7:36 am

Yes (if their configuration allows it, obviously, it does) and yes it will affect all subdirectories of public_html if placed in the public_html folder. Hint: append it to Joomla's .htaccess file if you are using it, otherwise, create your own.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

miggalvez
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sat Jul 01, 2006 4:00 pm

Re: secure it with php.ini

Post by miggalvez » Tue Aug 29, 2006 7:39 am

Cool!  :) This certainly beats using the scripts in this forum to copy a personalized php.ini file in every single directory in my web site.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Tue Aug 29, 2006 7:41 am

There are ways to set that up properly so you don't have to copy the php.ini to every directory but your hosting company has to have a certain setup.  Unfortunately, most are not wise enough to do this.  That is why I always suggest people talk to their hosting company before they try one of these overrides as your hosting company might have an easier way to do it but you would never know if you didn't ask them. :P
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

miggalvez
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Sat Jul 01, 2006 4:00 pm

Re: secure it with php.ini

Post by miggalvez » Tue Aug 29, 2006 7:47 am

Works perfectly! Thanks for your help Rob.

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: secure it with php.ini

Post by Beat » Tue Aug 29, 2006 7:49 am

miggalvez wrote: I asked my hosting server to turn register globals to off and they gave me this answer:
You can turn register_globals off by writing the following code (line) in an .htaccess file which is under public_html.
--------------------------------------------------------
php_flag register_globals off
--------------------------------------------------------
Is this true? Does it affect all subdirectories under the public_html directory?
This is by far the prefered method (after the one of having the hoster turning it off for you in his site settings), as php.ini which are in all folders are valid at time of installing them.

But imagine in one month from now, you install a new third-party component (with a "register-globals"-dependant vulnerability), and forget about it: that component will not be protected without that php.ini file, and Joomla! will not be able to prevent you, as it can't scan all directories for that !

So if at all possible, avoid that method of php.ini files in your own folders, except as immediate temporary fix.
Prefer:
1) your hoster changing it in his own settings back to this default php value.OFF
2) the .htaccess file method if your hoster allows it
3) consider changing hoster if you can't talk with them about these basic php security settings "1)" or "2)".
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Tue Aug 29, 2006 8:01 am

Actually, that isn't the only decent way.  If your host knows what they are doing they can setup Apache/PHP to look for a php file per virtualhost in a specific place.  I use this configuration on my own servers and it works very well because it is easier to manage a php.ini file than an .htaccess file in my opinion.  The configuration is actually pretty simple but not many hosters implement for some silly reason or another that I would really like to know... anyway, yeah... ask about that option too.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: secure it with php.ini

Post by Beat » Tue Aug 29, 2006 9:26 am

RobS wrote: Actually, that isn't the only decent way.  If your host knows what they are doing they can setup Apache/PHP to look for a php file per virtualhost in a specific place.  I use this configuration on my own servers and it works very well because it is easier to manage a php.ini file than an .htaccess file in my opinion.  The configuration is actually pretty simple but not many hosters implement for some silly reason or another that I would really like to know... anyway, yeah... ask about that option too.
Yeah, i implied that above (as it's hoster's task), but as we also have hosters in this forum ;) this clarifies it...

Ok trying to get a full list of prefered options first being best one:

1) hoster sets global default server settings right in php.ini file (usually in /etc/php.ini)

2) hoster sets default server settings correctly for your site (usually a virtualhost on a shared host) at the right place: it can be in php.ini file or in httpd.conf or any file included by httpd.conf, including site-specific http.include files, or in the settings of the host managment software generating those files for him (warning: manual editing of automatically generated files will kill your edits each time they are regenerated e.g. when a domain or subdomain is created/modified, resetting the settings).

3) hoster has set or sets you the rights to add the php configuration statments in your .htaccess file at the root of the http-accessible area of your server (e.g. httpdocs/ or public_html/). This setting is then valid for all folders and subfolders. Note: get in any case the new great security settings of 1.0.11 httpaccess.txt file (thanks Rob for this great contribution) in your .htaccess file .

4) if 1), 2) or 3) are not feasable at your hoster, and you have non-secure settings, talk with your hoster. These are basic security settings of PHP, which are set correctly by default in PHP since more than 2 years. Ask him why he changed them and is making his server less secure.

5) if 4) fails, consider 6) below as temporary safety measure if hoster's configuration take it in account, and plan for a hosting migration.

6) if hoster's configuration take it in account, add php.ini to each public folder (and later to any new created folder) containing php files. Plan for basic php-security knowledgeable hoster.

7) In all cases, rename htaccess.txt into .htaccess if you don't have one, otherwise take the security checks at the end of it and copy them at the end of yours. This is an additional line of defense from known attacks to weak 3pd extensions, most of which register_gloabl would catch. Check it's efficiency by typing "www.yoursite.com/blabla?mosConfig=blabla" : your site should not display same as without the text "www.yoursite.com/blabla?blablabla=blabla"... and plan for a fast hosting migration if 1)-6) could not be implemented

Code: Select all

8)
If your hoster even disallowed 7) , and doesn't want to discuss, consider changing immediately hoster for one which has or agrees to parameter PHP safely for you: means minimum: register_globals=OFF and magic_quotes_gpc=ON. Hosters which don't understand these php security settings, well... I think by now you should understand that choosing a serious hoster is important.  8)



Reference from PHP manual on a few less common additional possibilities:
http://ch2.php.net/manual/en/configuration.php (includes a link of directives and default settings.

Register globals off by default since php 4.2.0 (that's long time ago), and why:
http://ch2.php.net/register_globals

More reading on magic_quotes:
http://ch2.php.net/manual/en/security.magicquotes.php

Please post corrections, amendments, etc, as replies, and i will try to edit accordingly.
Last edited by Beat on Tue Aug 29, 2006 7:11 pm, edited 1 time in total.
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team


Locked

Return to “Security - 1.0.x”