secure it with php.ini

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Tue Aug 29, 2006 9:34 am

Looks good to me.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

 
User avatar
X-Dimension
Joomla! Intern
Joomla! Intern
Posts: 96
Joined: Thu Sep 15, 2005 9:31 am

Re: secure it with php.ini

Post by X-Dimension » Tue Aug 29, 2006 3:05 pm

emagin wrote: A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script

http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete

I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.
These scipts don't work for me.
The Copy Script told me that it can't find my php.ini and the deletescript shows "Done." but it doesn't delete all my manual copied php.ini from the folders.

Any Ideas?
MV Baltic Radio - The REAL Music Station
http://www.mvbalticradio.de
- Powered by Joomla! -

User avatar
dionysus
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 199
Joined: Tue Dec 13, 2005 10:57 am
Location: Los Angeles

Re: secure it with php.ini

Post by dionysus » Tue Aug 29, 2006 6:10 pm

I am getting the same thing as posted by X-Dimension.
-------------------------------------------
Joomla 3.1

bret381
Joomla! Explorer
Joomla! Explorer
Posts: 354
Joined: Sat Jun 17, 2006 5:07 pm

Re: secure it with php.ini

Post by bret381 » Tue Aug 29, 2006 6:58 pm

make sure the paths are correct in the php.ini file, also in the copy file.  And make sure you have write permissions for the folders.

User avatar
X-Dimension
Joomla! Intern
Joomla! Intern
Posts: 96
Joined: Thu Sep 15, 2005 9:31 am

Re: secure it with php.ini

Post by X-Dimension » Tue Aug 29, 2006 7:31 pm

How should the path look like?
What means "/home/" in this php-script? "public_html" is my public-www directory, isn't it?

Concerning write permissions:
Who needs the write permissions? (owner, group or public?)
At this time only the owner has write permissions.
MV Baltic Radio - The REAL Music Station
http://www.mvbalticradio.de
- Powered by Joomla! -

User avatar
kaizen
Joomla! Explorer
Joomla! Explorer
Posts: 294
Joined: Fri Aug 26, 2005 5:05 am
Location: Pennsylvania, USA
Contact:

Re: secure it with php.ini

Post by kaizen » Tue Aug 29, 2006 7:34 pm

bret381 wrote: make sure the paths are correct in the php.ini file, also in the copy file.  And make sure you have write permissions for the folders.
That might be a bit easier if the paths were documented...

I'm hosted with 1and1.com and have 3 installs of Joomla, running in different subdirs.  For example, in one of the installs, the absolute dir is shown as

Code: Select all

'/homepages/45/d98820553/htdocs/wilson2020'; 
Assuming I put my php.ini and the script files in the wilson2020 subdir, what values should I have for the vars in the script lines shown?

Code: Select all

$path = "/home/" . get_current_user() . "/public_html"; 
$source = $path . "/php.ini"; 
In other words, what should I have for "/home/", "/public_html/" and "/php.ini"?  Because I have it setup as follows:

Code: Select all

$path = "/homepages/45/d98820553/" . get_current_user() . "/homepages/45/d98820553/htdocs"; 
$source = $path . "/homepages/45/d98820553/htdocs/wilson2020/php.ini"; 
And I'm getting the same results as the last two posters...and BTW with all the cross talk I'm a bit confused now; is the following php.ini file correct?

Code: Select all

allow_url_fopen = OFF
register_globals = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
It appears to have stopped the error message in Admisnitrator but I'd justlike to be sure and also to make it clear for others who will follow this thread.

Right now, I'm copying everything manually but I'm starting to get repetitive stress injury!!  And I have more sites to deal with before I sleep...so any help will be appreciated!  ;D
Last edited by kaizen on Tue Aug 29, 2006 7:52 pm, edited 1 time in total.
Robert Anthony Pitera
West of East, Inc. - http://www.westofeast.com - Taking technology in new directions™

User avatar
vdrover
Joomla! Guru
Joomla! Guru
Posts: 619
Joined: Fri Mar 03, 2006 3:26 pm
Location: Canuck via MKE
Contact:

Re: secure it with php.ini [CRONJOB]

Post by vdrover » Tue Aug 29, 2006 7:55 pm

I went through all the best possible solutions with my host but the only real choice for me at the moment is to copy php.ini to all my folders using the scripts described earlier in this thread. I successfully performed the task as follows:

a. Edit the path in copy script as appropriate
b. Copy php.ini and the copy script to the Joomla! root folder
c. CHMOD 0600 php.ini
d. Call the script from a browser
e. Delete php script

However, going back to run the scripts each time u add an extension is likely to not be 100% (i.e. I am forgetful) and thus leaves my site vulnerable. I considered setting up the script as a cronjob to run once daily for example. Here is what my host notes about setting up cronjobs:

* In case you use a PHP cron script, please set its first line to: #!/usr/local/bin/php4.cli
* You must set read and execute permissions (like 775) to your script, to be able to run it.

1. Do i have to worry about leaving my copy script in the Joomla! root with CHMOD 775
2. Can I just use the copyscript 'as is' (see below) except for the addition noted above (#!/usr/local/bin/php4.cli)

Code: Select all

**** Start php.ini file ************
register_globals = off
post_max_size = 20M
memory_limit = 80M
upload_max_filesize = 20M
max_execution_time = 120
expose_php=off
**** End php.ini file **************

Code: Select all

**** Start phpini_copy.php file ************
<?php
// set this value to Y if you only want to overwrite old php.ini files
// set this value to N if you want to put a php.ini file in every directory
$overwriteOnly = "N";

if ($overwriteOnly == "Y") echo "Operating in Overwrite Only Mode<br><br>";
$path = "/home/user/www/www";
$source = $path . "/php.ini";
if (!file_exists($source)) die('Error - no source php.ini file');
function search($dir) {
  global $source;
  global $overwriteOnly;
  $dh = opendir($dir);
  while (($filename = readdir($dh)) !== false) {
    if ( $filename !== '.' AND $filename !== '..' AND $filename !== 'cgi-bin' AND is_dir("$dir/$filename") ) {
      $path = $dir."/".$filename; 
      $target = $path . "/php.ini";
      if (!file_exists($target) AND $overwriteOnly == "Y") {
	echo "$path <b>skipped - no php.ini file</b><br>";
      } else {
	echo "$target <br>";
	if (!copy($source,$target)) echo "<b>Write failed for $target </b><br>";
	if (file_exists($target)) chmod($target,0600);
    }
      search($path);
    }
  }
  closedir($dh);
}
search($path);
echo "<br>Done.";
?>
**** End phpini_copy.php file ****************
Last edited by vdrover on Tue Aug 29, 2006 7:58 pm, edited 1 time in total.
Victor Drover
https://watchful.net - Remote backup, update and security monitoring for Joomla.

User avatar
kaizen
Joomla! Explorer
Joomla! Explorer
Posts: 294
Joined: Fri Aug 26, 2005 5:05 am
Location: Pennsylvania, USA
Contact:

Re: secure it with php.ini

Post by kaizen » Tue Aug 29, 2006 8:33 pm

Vdrover -

I sure am glad you posted your edit of the copy script, because by looking at it I finally understood what was going wrong with mine...
For others who might have been confused, here's an explanation:

Firstly, like vdrover, I eliminated the part after the path declaration that read

Code: Select all

. get_current_user() . "/homepages/45/d98820553/htdocs/";
as it wasn't necessary for me.  (Note, I'm using this at 1and1.com, your mileage may vary however!)

$path=  should be the ABSOLUTE PATH TO WHERE THE SCRIPT IS RUNNING FROM  HINT: If you run this from the root of your joomla installation, it should be the same as the value for "$mosConfig_absolute_path =" in your configuration.php file!

$source=  should be WHERE THE SOURCE PHP.INI FILE IS LOCATED, if it's in the same place as the script it should simply read "/php.ini" since the statement

Code: Select all

$source= $path . "/php.ini";
will take the value for the variable "$path" and append the value "/php.ini" to it.  I did this and it worked like a charm; don't forget to edit your globals.php and set it to OFF! I just wish I saw this BEFORE I went ahead and did everything manually...phew!  At least NOW I won't have to do it for the other 8 sites!!

Thanks!
Last edited by kaizen on Tue Aug 29, 2006 8:42 pm, edited 1 time in total.
Robert Anthony Pitera
West of East, Inc. - http://www.westofeast.com - Taking technology in new directions™

User avatar
dionysus
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 199
Joined: Tue Dec 13, 2005 10:57 am
Location: Los Angeles

Re: secure it with php.ini

Post by dionysus » Tue Aug 29, 2006 8:58 pm

I'm sorry,

But just to clearify, what should i do with these scripts, once i am finished?

Also, after following the examples on this page, and i am good to go.
-------------------------------------------
Joomla 3.1

User avatar
kaizen
Joomla! Explorer
Joomla! Explorer
Posts: 294
Joined: Fri Aug 26, 2005 5:05 am
Location: Pennsylvania, USA
Contact:

Re: secure it with php.ini

Post by kaizen » Tue Aug 29, 2006 9:14 pm

I'm deleting mine on the sites and keeping a copy in my client files.
Robert Anthony Pitera
West of East, Inc. - http://www.westofeast.com - Taking technology in new directions™

User avatar
X-Dimension
Joomla! Intern
Joomla! Intern
Posts: 96
Joined: Thu Sep 15, 2005 9:31 am

Re: secure it with php.ini

Post by X-Dimension » Tue Aug 29, 2006 9:42 pm

@kaizen

Thank you very much! That works for me!

XD
MV Baltic Radio - The REAL Music Station
http://www.mvbalticradio.de
- Powered by Joomla! -

User avatar
kaizen
Joomla! Explorer
Joomla! Explorer
Posts: 294
Joined: Fri Aug 26, 2005 5:05 am
Location: Pennsylvania, USA
Contact:

Re: secure it with php.ini

Post by kaizen » Tue Aug 29, 2006 11:20 pm

@ X-Dimension

Glad to have helped you - to answer your other question, setting the permissions for 600 would leave only the owner with permissions which is fine - so you're good to go.

In the interim, I've noted that there are a few fixes involved if you use the php.ini file I showed, especially with Joomlaboard and Community builder (Not only for RegisterGlobals but for disallowing exec calls from PHP) so make sure you customkize your php.ini file to your own situation, and read this thread regarding fixes http://forum.joomla.org/index.php/topic,86525.0.html that you need to apply to 3PD apps after turning globals off.
Robert Anthony Pitera
West of East, Inc. - http://www.westofeast.com - Taking technology in new directions™

User avatar
wshealy
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Jan 19, 2006 4:12 am

Re: secure it with php.ini

Post by wshealy » Wed Aug 30, 2006 2:23 am

I tried the htaccess change on 1&1 and it doesn't work :<

Talking to them on the phone is nearly worthless. Getting them to change a system setting either globals off or allowing the entry in htaccess is hopeless. Time to start looking to move.

The 3 script solution does work. I have all three scripts working. Thanks to the discussion here.

Now for the 100K question ---

The copy script put the php.ini file in more than 1300 directories most of which have nothing to do with php.

Would it be possible to enhance the script so it looks for a .php or variation .php4 etc and only copies php.ini to those directories?
That is what I did manually before the script worked for me. It would be cleaner, wouldn't depend on the overwrite logic which I think is likely to miss a new php directory, and wouldn't leave php.ini files to show up in directory listing to confuse or intrigue prying eyes. Does this make sense?

Could someone help me?

Thanks.
W <-- for Wallace not for president, Yes, it stuck from my userid.

PS - I'm having other pressing upgrade issues that I need to attend to in other post. My frontend login won't -- between joomla, cb, joomla-smf bridge it could be anything it isn't globals <-- Thanks to getting the scripts to work I turn them on and off to test.
W

User avatar
vdrover
Joomla! Guru
Joomla! Guru
Posts: 619
Joined: Fri Mar 03, 2006 3:26 pm
Location: Canuck via MKE
Contact:

Re: secure it with php.ini

Post by vdrover » Wed Aug 30, 2006 4:31 am

Glad you guys are getting things running well. However, I want to set this up as a cron job and thus need to leave the script there. Is this dangerous? Could the script itself be a source of indsecurity?
Victor Drover
https://watchful.net - Remote backup, update and security monitoring for Joomla.

Pintobean
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Fri Oct 21, 2005 8:03 pm

Re: secure it with php.ini

Post by Pintobean » Wed Aug 30, 2006 6:07 am

Here's a wiki page on how to run your own php.ini on your domain at dreamhost.com:

http://wiki.dreamhost.com/index.php/PHP.ini

This might be helpful to other folks who are on shared webhosts, not just dreamhost. Basically, you copy the system php.cfg and php.ini files to your own cgi-bin folder, and run a little script with some pearl that parses those files and replaces the specific directives that you want modified with your chosen value.

Here's what I ran:

Code: Select all

#!/bin/sh
CGIFILE="$HOME/webroot/cgi-bin/php.cgi"
INIFILE="$HOME/webroot/cgi-bin/php.ini"
cp /dh/cgi-system/php5.cgi "$CGIFILE"
cp /etc/php5/cgi/php.ini "$INIFILE"

perl -p -i -e '
s/.*post_max_size.*/post_max_size = 100M/;
s/.*upload_max_filesize.*/upload_max_filesize = 100M/;
s/.*register_globals.*/register_globals = 0/;
s/.*allow_url_fopen.*/allow_url_fopen = 0/;
s/.*magic_gpc_quotes.*/magic_gpc_quotes = 0/;
s/.*magic_quotes_gpc.*/magic_quotes_gpc = Off/;
s/.*safe_mode.*/safe_mode = 1/;
' "$INIFILE"
They suggest setting up a cron job to run this script weekly to keep it up-to-date. Works like a charm for me! BTW thanks to all the developers who put in great time and effort to keep Joomla! up-to-date and as secure as possible.

locutus
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Aug 18, 2005 6:43 pm

Re: secure it with php.ini

Post by locutus » Wed Aug 30, 2006 7:11 am

Having trouble getting the above scripts going?

Change this:

Code: Select all

$path = "/home/" . get_current_user() . "/public_html"; 
into this

Code: Select all

$path = getcwd();

User avatar
kaizen
Joomla! Explorer
Joomla! Explorer
Posts: 294
Joined: Fri Aug 26, 2005 5:05 am
Location: Pennsylvania, USA
Contact:

Re: secure it with php.ini

Post by kaizen » Wed Aug 30, 2006 12:24 pm

vdrover wrote: Glad you guys are getting things running well. However, I want to set this up as a cron job and thus need to leave the script there. Is this dangerous? Could the script itself be a source of indsecurity?
I'm not an expert, but my guess would be that if someone could find a way upload a different php.ini file, or modify the delete script to delete something else (say your configuration.php or maybe *.php) it would be a risk.  I'm not willing to take the cahcen so I'm deleting mine at the host.

Now if you were running it as a cron job and put it in a more secure area that should be fine - but you'll have to ask someone else how to accomplish that as I'm afraid I don't know how.
Robert Anthony Pitera
West of East, Inc. - http://www.westofeast.com - Taking technology in new directions™

User avatar
vdrover
Joomla! Guru
Joomla! Guru
Posts: 619
Joined: Fri Mar 03, 2006 3:26 pm
Location: Canuck via MKE
Contact:

Re: secure it with php.ini

Post by vdrover » Wed Aug 30, 2006 4:26 pm

kaizen wrote: I'm not an expert, but my guess would be that if someone could find a way upload a different php.ini file, or modify the delete script to delete something else (say your configuration.php or maybe *.php) it would be a risk.  I'm not willing to take the cahcen so I'm deleting mine at the host.

Now if you were running it as a cron job and put it in a more secure area that should be fine - but you'll have to ask someone else how to accomplish that as I'm afraid I don't know how.
I just realized that my host has a private area not accessible via the web. /home/user/private. I used the modified script below (as well as the php.ini file noted earlier) to set up a cron job using this now secure script. The main difference is that the script is not working recursively, but in /home/user/www.

Now I can leave the script safely in /home/user/private and let the cron job run once a day...SWEEEEEET!

Code: Select all

//the following line required by my host in all cron jobs. Ask your host if you need this or a modified version
#!/usr/local/bin/php4.cli

<?php
// set this value to Y if you only want to overwrite old php.ini files
// set this value to N if you want to put a php.ini file in every directory
$overwriteOnly = "N";
if ($overwriteOnly == "Y") echo "Operating in Overwrite Only Mode<br><br>";

// modify the following path as appropriate for your host. This is where you have your joomla
// installations and where you want to copy the php.ini files. 
$path = "/home/user/www";

//modify the following to the absolute path of your script and php.ini file.
$sourcepath = "/home/user/private"; 
$source = $sourcepath . "/php.ini";

if (!file_exists($source)) die('Error - no source php.ini file');
function search($dir) {
  global $source;
  global $overwriteOnly;
  $dh = opendir($dir);
  while (($filename = readdir($dh)) !== false) {
    if ( $filename !== '.' AND $filename !== '..' AND $filename !== 'cgi-bin' AND is_dir("$dir/$filename") ) {
      $path = $dir."/".$filename;
      $target = $path . "/php.ini";
      if (!file_exists($target) AND $overwriteOnly == "Y") {
        echo "$path <b>skipped - no php.ini file</b><br>";
      } else {
        echo "$target <br>";
        if (!copy($source,$target)) echo "<b>Write failed for $target </b><br>";
        if (file_exists($target)) chmod($target,0600);
    }
      search($path);
    }
  }
  closedir($dh);
}
search($path);
echo "<br>Done.";
?>
Victor Drover
https://watchful.net - Remote backup, update and security monitoring for Joomla.

DoctorMicro
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Wed Aug 30, 2006 11:12 pm
Contact:

Re: secure it with php.ini

Post by DoctorMicro » Wed Aug 30, 2006 11:23 pm

Hello All, this is my first posting to this site. :)

The best way I have found to have it work, was to just add the php flags at the top of Joomlas .htaccess file and place it in the directory Joomla resides in on your server.  I only needed the two below for this new 1.0.11 update.


php_flag register_globals off

php_flag magic_quotes_gpc on


NOTE: Will not work without the php_flag in front of them. Also some servers like using 0 instead of off and on instead of 1.

Harrison78
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Tue Jun 20, 2006 10:39 pm

Re: secure it with php.ini

Post by Harrison78 » Thu Aug 31, 2006 12:41 am

This may be of interest to members who use 1and1 for their Joomla hosting.

I found an easy way to switch register globals off on a 1and1 shared hosting account by making the server run all php scripts through php 5 instead of php 4.  1and1 run a much more secure PHP5 configuration compared to their PHP4 installation and by default registerglobals is off, as well as some other more secure settings being set as standard.

By default all .php scripts on a 1and1 server use PHP 4 and you have to rename scripts to .php5 for the apache server to use PHP 5, but you can easily tell the apache server to use PHP 5 for all scripts, and this is done by placing a .htaccess file at the root of your Joomla installation with the following line in it:

Code: Select all

AddType x-mapp-php5 .php
This will tell Apache to use PHP5 instead of PHP4 for the extension .php in the directory the .htaccess is placed and all sub-directories under it.

User avatar
vdrover
Joomla! Guru
Joomla! Guru
Posts: 619
Joined: Fri Mar 03, 2006 3:26 pm
Location: Canuck via MKE
Contact:

Re: secure it with php.ini

Post by vdrover » Thu Aug 31, 2006 2:41 am

DoctorMicro wrote: Hello All, this is my first posting to this site. :)

The best way I have found to have it work, was to just add the php flags at the top of Joomlas .htaccess file and place it in the directory Joomla resides in on your server.  I only needed the two below for this new 1.0.11 update.


php_flag register_globals off

php_flag magic_quotes_gpc on


NOTE: Will not work without the php_flag in front of them. Also some servers like using 0 instead of off and on instead of 1.
My host has PHP running as CGI under the SuExec environment. They say that with this configuration you cannot set PHP values in .htaccess files ("This only works with PHP in mod_php mode").

Can anyone confirm this?
Victor Drover
https://watchful.net - Remote backup, update and security monitoring for Joomla.

User avatar
wshealy
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Jan 19, 2006 4:12 am

Re: secure it with php.ini

Post by wshealy » Thu Aug 31, 2006 5:01 am

wshealy wrote: Would it be possible to enhance the script so it looks for a .php or variation .php4 etc and only copies php.ini to those directories?
That is what I did manually before the script worked for me. It would be cleaner, wouldn't depend on the overwrite logic which I think is likely to miss a new php directory, and wouldn't leave php.ini files to show up in directory listing to confuse or intrigue prying eyes. Does this make sense?

Could someone help me?

Thanks.
W

Could anybody help me with this?

Thanks
W
W

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Thu Aug 31, 2006 7:29 am

vdrover wrote:
DoctorMicro wrote: Hello All, this is my first posting to this site. :)

The best way I have found to have it work, was to just add the php flags at the top of Joomlas .htaccess file and place it in the directory Joomla resides in on your server.  I only needed the two below for this new 1.0.11 update.


php_flag register_globals off

php_flag magic_quotes_gpc on


NOTE: Will not work without the php_flag in front of them. Also some servers like using 0 instead of off and on instead of 1.
My host has PHP running as CGI under the SuExec environment. They say that with this configuration you cannot set PHP values in .htaccess files ("This only works with PHP in mod_php mode").

Can anyone confirm this?
This is true.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
paullehat
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Sat Nov 19, 2005 12:54 pm

Re: secure it with php.ini

Post by paullehat » Thu Aug 31, 2006 8:53 am

My website hosts allow me to create my own php.ini file, can anyone point a newbie to a template file or text for file I can modify for globals off? PHP info says etc/php.ini. Do I create a new folder called 'etc' because I can't see one via FTP? Please advise.
Regards.
Paul Le Hat.

draconid
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Tue Dec 20, 2005 9:04 am

Re: secure it with php.ini

Post by draconid » Thu Aug 31, 2006 9:28 am

Harrison78 wrote: By default all .php scripts on a 1and1 server use PHP 4 and you have to rename scripts to .php5 for the apache server to use PHP 5, but you can easily tell the apache server to use PHP 5 for all scripts, and this is done by placing a .htaccess file at the root of your Joomla installation with the following line in it:

Code: Select all

AddType x-mapp-php5 .php
This will tell Apache to use PHP5 instead of PHP4 for the extension .php in the directory the .htaccess is placed and all sub-directories under it.
This is an awesome suggestion.  Thanks!  I was having trouble getting the scripts on this thread working, but this works like a dream!

steveoc
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Fri Jun 23, 2006 11:14 pm

Re: secure it with php.ini

Post by steveoc » Thu Aug 31, 2006 11:52 am

paullehat wrote: My website hosts allow me to create my own php.ini file, can anyone point a newbie to a template file or text for file I can modify for globals off? PHP info says etc/php.ini. Do I create a new folder called 'etc' because I can't see one via FTP? Please advise.
My host told me to take the .htacess.txt and rename it php.ini The server runs phpsuexec. I put it in the joomla root and joomla/admin folders. That got rid of the warnings and my host says that the subfolders should be covered. I have my doubts though as the security warning did not disappear until I put a copy in the admin. It may be that I did not wait and popped it in immediately after I saw the security flag on the back end.

Steve

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: secure it with php.ini

Post by Beat » Thu Aug 31, 2006 12:36 pm

steveoc wrote: ...
My host told me to take the .htacess.txt and rename it php.ini
...
my host says that the subfolders should be covered.
I'm inbetween:  >:(  :( :-\  :'(  >:(  :(  :'(

But also, this is the most  :laugh:  :laugh:  :laugh:  :laugh:  :laugh:  I heard from a hoster today.

Sorry, both are 100% wrong statments. Who knows how these servers are configured...
I have my doubts though as the security warning did not disappear until I put a copy in the admin...
You are right to have serious doubts.  8)

Security fix #1 for your site: Run away from this hoster the fastest you can.

Read carefully all pages of the front-page announcement of Joomla 1.0.11 on http://www.joomla.org/ to get better instructions on htaccess.txt and other settings. Read the sticky posts on the security sub-forum. Choose a hoster who knows what he is doing...
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

steveoc
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Fri Jun 23, 2006 11:14 pm

Re: secure it with php.ini

Post by steveoc » Thu Aug 31, 2006 12:48 pm

Beat wrote:
I have my doubts though as the security warning did not disappear until I put a copy in the admin...
You are right to have serious doubts.  8)

Security fix #1 for your site: Run away from this hoster the fastest you can.

Read carefully all pages of the front-page announcement of Joomla 1.0.11 on http://www.joomla.org/ to get better instructions on htaccess.txt and other settings. Read the sticky posts on the security sub-forum. Choose a hoster who knows what he is doing...
Okay--as I suspected! Unfortunately I cannot move it right now, but I will when the opportunity arises. Looks like it's time to to find the path to the php.ini and use the scripts to copy and replicate it with the needed modifications. Just can't get the script to work! (I already tried it--as you can see, I didn't believe them either!). I can't use .htaccess on this sever--it has to be the php.ini route as attempts to use the .htaccess throws errors.

All my other sites are fine as they are on another server that allows the .htaccess.

Steve

steveoc
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Fri Jun 23, 2006 11:14 pm

Re: secure it with php.ini

Post by steveoc » Thu Aug 31, 2006 9:20 pm

When I try to run the initialize script, I keep getting
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/user/public_html/php-initialize.php on line 4
I am ready to give up. I've been working on securing this site for days. I can't even keep straight what I have read. I'd hire help, but the site is my school's and by the time I get the business manager to act, it would be into the next year.

Now tech support says just write a text file with register_globals = Off, name it php.ini, and put it in each folder. I tried the copy script and got the same error.

Steve

User avatar
wshealy
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Jan 19, 2006 4:12 am

Re: secure it with php.ini

Post by wshealy » Fri Sep 01, 2006 5:56 am

This gives me a 500 error. Any suggestions?
Harrison78 wrote: This may be of interest to members who use 1and1 for their Joomla hosting.

Code: Select all

AddType x-mapp-php5 .php
Thanks
W
W

 

Locked

Return to “Security - 1.0.x”