secure it with php.ini

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
wshealy
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Jan 19, 2006 4:12 am

Re: secure it with php.ini

Post by wshealy » Fri Sep 01, 2006 6:00 am

wshealy wrote: Would it be possible to enhance the copy script so it looks for a *.php file and only copies php.ini to those directories?

It would be cleaner, wouldn't depend on the overwrite logic which I think is likely to miss a new php directory, and wouldn't leave php.ini files to show up in directory listing to confuse or intrigue prying eyes. Does this make sense?

Could someone help me?

Thanks.
W
Still hoping someone will at least let me know if this is possible.
W
W

 
Harrison78
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Tue Jun 20, 2006 10:39 pm

Re: secure it with php.ini

Post by Harrison78 » Fri Sep 01, 2006 8:56 am

wshealy wrote: This gives me a 500 error. Any suggestions?
Harrison78 wrote: This may be of interest to members who use 1and1 for their Joomla hosting.

Code: Select all

AddType x-mapp-php5 .php
Thanks
W
Did you upload your .htaccess file to the server in binary or ASCII format?  It has to be ASCII.

Also make sure you have only the code I mentioned in the file, and have spaces in the right place.

micbec
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Tue Aug 29, 2006 10:21 am

Re: secure it with php.ini

Post by micbec » Fri Sep 01, 2006 11:36 am

Harrison78 wrote: This may be of interest to members who use 1and1 for their Joomla hosting.

I found an easy way to switch register globals off on a 1and1 shared hosting account by making the server run all php scripts through php 5 instead of php 4.  1and1 run a much more secure PHP5 configuration compared to their PHP4 installation and by default registerglobals is off, as well as some other more secure settings being set as standard.

By default all .php scripts on a 1and1 server use PHP 4 and you have to rename scripts to .php5 for the apache server to use PHP 5, but you can easily tell the apache server to use PHP 5 for all scripts, and this is done by placing a .htaccess file at the root of your Joomla installation with the following line in it:

Code: Select all

AddType x-mapp-php5 .php
This will tell Apache to use PHP5 instead of PHP4 for the extension .php in the directory the .htaccess is placed and all sub-directories under it.
Thankyou for adding that! I am using 1 and 1 and nothing else was working!

I have added your code and it's working perfectly :D

hagala
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue May 09, 2006 5:10 am

Re: secure it with php.ini

Post by hagala » Fri Sep 01, 2006 11:45 am

if anyone is having problems copying php.ini to subdirectories you can try this method if you have shell access..

find * -type d|xargs -i cp --verbose php.ini {}/.

cheers

steveoc
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Fri Jun 23, 2006 11:14 pm

Re: secure it with php.ini

Post by steveoc » Fri Sep 01, 2006 11:54 pm

steveoc wrote: When I try to run the initialize script, I keep getting
Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/user/public_html/php-initialize.php on line 4
I am ready to give up. I've been working on securing this site for days. I can't even keep straight what I have read. I'd hire help, but the site is my school's and by the time I get the business manager to act, it would be into the next year.

Now tech support says just write a text file with register_globals = Off, name it php.ini, and put it in each folder. I tried the copy script and got the same error.

Steve
Well, I have to say that my host (hostgator) has more than made up for their prior failings. It certainly pays to be a well informed customer though. It also pays to be persistant! Rather than relying on changing shifts of tech support to see the whole pictures by reviewing all the emails, I replied with an email that laid out the whole problem, what I had tried and what had failed in detail.

It seems that they bumped it up to a higher level of support personel. He looked at the scripts to copy the php.ini and copy them to the subdirectories. He found the problem ( I was close--just frustrated), modified them to work, ran the first to copy and modify the the php.ini to my public_html folder, then ran the second script to copy to all the sub-directories for me. He left the customized scripts in my site so that I could run them whenever I like and even gave suggestions for setting up a cron job.

All is good! And thanks to all here!

Steve

joomlan
Joomla! Explorer
Joomla! Explorer
Posts: 345
Joined: Sun Jul 16, 2006 1:21 pm

Re: secure it with php.ini

Post by joomlan » Sun Sep 03, 2006 1:38 am

How do you disable this in php.ini file ??

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

I checked my php configuration and this is what I have :

disable_classes no value no value
disable_functions no value no value

Thanks

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: secure it with php.ini

Post by rliskey » Sun Sep 03, 2006 11:48 pm

X-Dimension wrote: Concerning write permissions:
Who needs the write permissions? (owner, group or public?)
At this time only the owner has write permissions.
Assuming you're the owner, only the owner needs write permission.

webforbiz
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Mon Sep 04, 2006 2:53 am
Location: Australia
Contact:

Re: secure it with php.ini

Post by webforbiz » Mon Sep 04, 2006 3:19 am

emagin wrote: I have joomla sites hosted at site5, which runs PHP in cgi mode, supposedly for security.
The default php.ini for the server runs with register_globas=off

To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!

A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script

http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete


I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.

So the custom settings would be:

; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0

And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script.  (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)

I tried to do this, but every time I had an error, so I decided to contact my host and ask them to switch the global_register off, however they told the reason they have it on is because the spam by php hackers.

By implementing this upgrade would I be expose to hackers?


Thanks

Arty
PC Security Australia
Great Place to discuss your PC Security Issues.
Http://www.PCsecurity.com.au

askjosh
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Feb 12, 2006 8:59 am

Re: secure it with php.ini

Post by askjosh » Mon Sep 04, 2006 5:57 am

thank you soo much for the 1and1 fix it worked like a charm. all I did was place AddType x-mapp-php5 .php in the .htaccess file and boom it worked :-)

User avatar
bergmannn
Joomla! Ace
Joomla! Ace
Posts: 1186
Joined: Tue Jan 10, 2006 2:18 pm
Location: Lake Garda - Italy
Contact:

Re: secure it with php.ini

Post by bergmannn » Mon Sep 04, 2006 11:02 pm

Pumuckl wrote: But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?
Yes... I'm also on Schlund (1&1) and they dont want to change the settings... I solve the problem with a tool found on the joomla.de forum. Verry easy to use.

My post is here:
http://forum.joomla.org/index.php/topic ... #msg465727

Regards
Martin Bergmann
----------------------
Soluzioni web e supporto professionale - http://www.bergmannn.net
Lake Garda Hotelguide - http://www.gardalink.com

askjosh
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Feb 12, 2006 8:59 am

Re: secure it with php.ini

Post by askjosh » Mon Sep 04, 2006 11:38 pm

Bergmannn,

Here is what I have found out after searching through allot of forums and i hope this helps you and anyone else using 1and1.com

By default 1and1.com uses php 4.44 for backwards compatability. While this does allow many of their clients to continue using older php scripts it also leaves allot of security holes open that were fixed in php 5.

to solve this problem you can do 4 things, first copy a php.ini file into ever folder one at a time, second use a script to copy the php.ini file or create a link to that file like your script does. third you can change each and ever php file to use the .php5 extention.

the forth and best way  is to create a file at the root of your site called .htaccess. and put this one line in that file.

Code: Select all

AddType x-mapp-php5 .php
what this does is tells the apache server that 1and1 uses to the php 5 engine on all php files in the same directory and all sub directories that the .htaccess file resides in. This greatly inceases the security of your site because php 5 turns off the register globals option by default and fixes several other security holes that were in php 4.

for your convince I will also attach a htaccess file for you to download. just ftp the file to the root of your webspace and rename to .htaccess and your done.
You do not have the required permissions to view the files attached to this post.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: secure it with php.ini

Post by RobS » Tue Sep 05, 2006 12:44 am

@askjosh,

Please don't cross post.  It is against the forum rules.

re: http://forum.joomla.org/index.php/topic ... #msg465778
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Wed Sep 06, 2006 10:59 am

Hi,

after reading this thread, I'd like to summarize a few things and put some things straight, as I found a bunch of glitches in previous posts.

In no particular order and certainly incomplete ...

get_user_name() -- using this function to "construct" a path is rather pointless and unreliably since there's barely any connection between the user name reported to PHP and the physical/logical "path name" or structure leading to home directories, document roots or such. Mass hosters (need to) use other techniques to manage the mapping of path names and accounts, contract ids, grants, or other services.

phpinfo() -- tells you exactly where the active copy of php.ini for the active PHP version (4 or 5) resides, in case you wanna take it as the source for copies. It also tells you whether it's running as a "module" or "CGI".

speading php.ini files -- pointless in the hope to change "run time values" if PHP runs as Apache module (mod_php), 'cos the module reads this file once only, when the server is started (by the ISP). PHP-CGI -- if configured to do so -- primarily looks for this file in the directory of the "main script" aka $PHP_SELF and if none is found test for another 10 well-defined locations. Read http://php.net/manual/configuration.php to learn the rules of where, when and in what order some "php.ini" will be sought and loaded, the possible file names, dependencies on whether its CGI/CLI/module incl. differences of the operating systems.
For Joomla the "main script" is either of the index*.php files of the site, the admin and the installer. There's no need to copy php.ini files into any other directory, if there's no "main script" to call. If one calls /foobar/blabla.php, PHP will look for /foobar/php.ini only, not for /php.ini nor /include/php.ini -- Note: Some J!-Editors or Components use popup-windows using a different "main script" (check their URL!). When ever that happens, you may also place a copy of your custom php.ini into that very directory, e.g. JCE/MosCE's Image Editor

php-XXX.ini -- PHP may not use an existing "php.ini" even if it's configured to do so, but looks for a very specific file where the basename is suffixed by its internal "server api name": "cgi", "fast-cgi", "fcgi" or "apache2handler", hence you may have more luck by naming the file php-cgi.ini rather than just "php.ini". See the result of php_sapi_name() to find this name.

AddType xxxxx .php -- while many ISPs meanwhile allow you to toggle .php from PHP4 to PHP5 on a directory basis, the type name typically differs and there's no general rule. You MUST ASK your provider what name they have used. "x-mapp-php5" is true for the german providers 1und1 and Schlund & Partner (same firm, diff. brands). I run client sites on various hosters and EACH has choosen a different type name. On my local box I used php5_script, as suggested in the manual. (AFAIK, the type name is fixed to "php5_script" if -- and only if -- PHP5 runs as an Apache module (mod_php), however one may add more types for the same thing in Apache)

php_value xx yy -- only applies to PHP module. Period. Read Elpie's Guide to .htaccess as a great companion to this subject.

.htaccess & php*.ini -- are NOT interchangeable, as Beat already said. The former belongs to the web server only and allows to configure (parts) of the web server configuration and it's active modules. The latter only belong to PHP of any type, with each may favour a special named file as mentioned above.
The PHP-CGIs evaluate their .ini on each request, hence giving you the ability to change runtime values using separate .ini's in the main script's location, the module does so only if the server is started. To change module settings, you must use the php_value directive. If you happen to have access to Apache's httpd.conf do it there, otherwise use .htaccess and be aware of the possible impact (see Elpie's Guide.)

PHP4 or PHP5 -- by design you can't have both as a module on the same web server (instance) so you need to use their respective method to change run time settings: .htaccess for the module, php.ini for CGIs.
Unfortunately PHP5 isn't yet the default "php handler" for many mass/large hosters but often runs in parallel, in CGI mode configured to lauch for .php5 files. Maybe PHP4 runs in CGI mode as well.
Presuming there's no .htaccess to switch the handler type, have two files with inside and save one as "whatever.php" and the other as "whatever.php5". Check the header block to find out which PHP version and "Server API" applies: anything with "cgi" in that name means, well, CGI mode. The module usually has "apache" in the API name (i.e "apache2handler" on Apache 2.x) -- I have no clue what it's called for IIS or other web servers, sorry.

Finding path names.
ISPs may mount/link physical storage into a logical file structure, resulting in different path names apearing in PHP's scope. Handy looking values from i.e. $_SERVER['DOCUMENT_ROOT'], getcwd(), or dirname(__FILE__) must not contain/return the same paths because they origin from different sources (Apache, OS, PHP). While your php-script might be able to read from each of these paths, that doesn't imply it can also be used to write/copy files into it.
To make things even more fun: via FTP you may encounter even another path to your "web space". The larger your provider the better the chances none of them match "visually".
e.g. physical paths as seen/known by the OS:
  /drive1/clients/cheap/contract_id1/web
  /drive2/clients/cheap/contract_id2/web
by the web server:
  /foo/bar/anybody/account0001/www/htdocs
  /foo/bar/anybody/account0002/www/htdocs
by PHP
  /account0001/www/htdocs
  /account0002/www/htdocs
free.fr for instance happens (or happend) to have such a funky "layout"

You're dealing with several levels:
- paths visible to applications
- logical paths
- their physical location
and you provider's idea of his very own "best practice" to handle all this with the lowest effort.

So instead of guessing and placing INIs all over the place or adding directives to .htaccess for no good: save yourself some time and nerves, and ask you provider first if the required "feature" (.htaccess, php.ini) is supported at all or search their support/faq pages. The provider may even change a setting for you if this has no impact for other client's setup. Mass hosters are unlikely to do that for you: they're that cheap 'cos they use a "one size fits all" approach.
If this is bugging you, have a drink less per month and save that money for a better provider and service.

Don't reply to my post telling me your provider does it this way or that way: I'm sure he does.
"Disclaimer": There are as many exceptions to the above as there are common, bad and best practices. The above statements are partly simplified a small resume of what I learned in the last couple of years, and I still get stunned now and then on how "creative" or dumb some ISPs [still] are.
Please let me know if any of the above is plain dead wrong or essentially different under a certain environments (i.e. suexec): I'm always open to learn something new :-)

Have fun,

CirTap
Last edited by CirTap on Wed Sep 13, 2006 2:00 pm, edited 1 time in total.
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

mrochte
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Sep 06, 2006 10:42 pm

Re: secure it with php.ini

Post by mrochte » Wed Sep 06, 2006 10:56 pm

Ok, this is frustrating. 

All I've got left is this register_globals thing

I talked with my host and they said just add "php_flag register_globals off" to the .htaccess  as several other posters have mentioned.  So I did that and yes I saved it as ascii.  I got a 500 error and lost all access to the website.  Take it out, everything was fine.  Put it back in same error. 

Ok, so I try the php.ini approach.  After mucking with the originals to no succes I find the modified copy program and it seems to work like a charm putting it everywhere.  I look at the php.ini file and see that
line  38 says "register_globals = On"
then at the end on lines 208-211
208 ; USER MODIFIED PARAMETERS FOLLOW
209 
210 register_globals = Off
211 session.use_trans_sid = 0 212

Now, no matter how I change this file (modifying line 38, deleting line 208-211, leaving as is) nothing seems to change the setting.

From what I read in the last comment by CirTap it seems that the only way to effect a change is to do it through the .htaccess or through the master php.ini    Well, I can't get my hoster to change the master php.ini and the .htacess  All in all this is a very good hoster, fast, effective, knowledgeable and cooperative.   

I still have the red bar of dange as I am now starting to call in in my Joomla admin screens.    Any suggestions what my next step should be?

User avatar
wshealy
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Jan 19, 2006 4:12 am

Re: secure it with php.ini

Post by wshealy » Thu Sep 07, 2006 4:19 am

As I said above, this gives me a 500 error on 1&1 server when added to .htaccess.  Several of you seem to have gotten it work. Any suggestions? Any clues? Any way to get more specific info why?
Harrison78 wrote: This may be of interest to members who use 1and1 for their Joomla hosting.

Code: Select all

AddType x-mapp-php5 .php
By the way 1&1 technical support seems wholely worthless on this point all they did was email a link to the php faq which I had already read. Giving up drinking to save for a more personal hosting option. :> Hold it I didn't drink in the first place. Only this upgrade has driven me to consider it.

Thanks
W
W

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Thu Sep 07, 2006 11:37 am

mrochte wrote: I talked with my host and they said just add "php_flag register_globals off" to the .htaccess
Hi,

if your provider runs Apache 2 this should be a number
  php_flag register_globals 0
(no sure, but AFAIK using numbers instead of strings (yes/on, no/off) works with either version, give it a try)

It's always a matter of your very specific and usually UNIQUE server environment I know of ISPs that do have PHP module on some server and CGIs on others, and a mix of PHP versions, too, depending on their update/upgrade policy/ability.
What you may do with PHP4 must not work for PHP5. S+P the "business brand" of 1und1, allows the "php.ini" trick for PHP4-CGIs but not with PHP5!
Also don't trust any handy looking "PHP Info page" available in your web-space control panel, it may run on a totally different (mirror) server, "accidently" use a different .ini file and bingo: different config! (I ran into that once; provider: Artifiles)

To find the real configuration of PHP for "your web site" always use your very own copy of a phpinfo-file and check live at the location your php apps are running. Securitywise: just in case... don't use a name such as "phpinfo.php" but a more fancy one, put it into an equally unusually named subfolder and not your document/joomla root, and once done with it, drop that stuff as it may reveal sensitive information.

To easy debugging, temporarily rename any php.ini or .htaccess in the path to the following test scripts incl. parent directories you have access to.
- If J! runs in the webroot, disable SEF prior renaming the htaccess file, or even take it offline (if you dare ).
- If J! runs in a subfolder ( http://www.foobar.com/joomla/ ) do your tests in an adjacent folder, you may then leave J! as is.
You may equally use a "clean" subdomain running on the same server (recommended) to sniff out all the settings.

- create a new folder for this TEST, use whatever name you want
- again: make sure there's no php.ini or .htaccess in that path that may affect the results, esp. any of the "AddType" stuff
- use the attached file and upload as whatever.php and whatever.php5 to that folder
- locate each file in your browser and have a look
- What's the result of "SAPI name" ?
- What are the values of "PHP Version" and "Configuration File" in the table below?
- Proceed to the "Configuration PHP Core" section, search for the "register_globals" entry: we want local (left column) to be "off".

The value of "Server API" in from phpinfo() can be more human friendly, hence the call of php_sapi_name() at the beginning and the function test.
Make a note of these values

I can't recall the "SAPI name" on Apache 1.3x, since I have no access to such an environment anymore. In module-mode there'll be an additional phpinfo() section called "Apache Environment", the entry SERVER_SOFTWARE should give the same result as apache_get_version() - Apache version and built. This whole section is missing in CGI mode!

If PHP runs as Apache module .htacces should do the job
- now create a simple .htaccess with only one directive:
      php_flag register_globals 1
- upload into the same dir as your phpinfo-files
- launch/reload each script (*.php, *.php5)
If you get a 500, despite PHP reports to be a module, the "php_value" command/directive appears to be either unknown to Apache or its usage is prohibited (that'd be weired though).
In case you have access to the error log, have a look inside. The last few lines should tell you what's fishy. Drop/rename that interim .htaccess to regain access. Some mass hosters disable error logs, so you may be out of luck here.

Accept the current situation. If your provider told you to use "php_value" tell him that appears to be no-go, and provide the error messages from the error log if possible. Be specific about your tests, tell him where he can find your files to take a look.
Ask him if this or that is possible on that web-space, php version, etc. Remember that ISPs may have different setups on different servers. Ask if you may move to another (newer) server that offers this ability. Stay polite and patient :)

If PHP "SAPI name" tells anything like CGI, create ONE php.ini and add

  [php]
  register_globals = off

NO QUOTES!
- Upload the file into the directory of your phpinfo-file and reload
- Did PHP read that file? The path in "Configuration File" should have changed.
- Did the (local) register_globals value change, too?
If nothing "happend" rename the ini file adding the value of "SAPI name" as mentioned earlier, i.e. "php-cgi.ini" and try again.

Check with BOTH phpinfo-files xx.php and yy.php5 -- there might be different results.
The PHP manual mentions that PHP5 will also look for "php5.ini" rather than "php.ini" -- try this name and the various SAPI name combination.

Should none of this work, you might be out of luck with that ISP. Rethink the money-saving option ;)

Have fun & good luck,

CirTap

(edit: fixed typos)
Last edited by CirTap on Fri Aug 17, 2007 11:40 am, edited 1 time in total.
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Thu Sep 07, 2006 12:03 pm

wshealy wrote: By the way 1&1 technical support seems wholely worthless on this point all they did was email a link to the php faq which I had already read.
.. not only "on this point". the are somewhat cheap but (tech) support suxx in general (web, DSL, you name it) They just keep you hanging in the phone line letting you pay a lot to get nothing. The technology itself isn't bad though, but consider the money you [already] spent on their "service numbers", you could have a better hoster AND a few drinks for that ;)
I'm using 1&1 DSL and I'm fine with this, and we have one root-server that happens to work (our way), but the "low-budget" stuff they offer doesn't pay off on the long run.
if you happen to call them more than once, move to their business brand S+P (Schlund).They cost more than 1&1 but provide excellent support, pretty skilled, and offer a toll-free number (0800 xx). If they can't solve it with you on the phone they either pass you over to someone who does know or get back to you and offer a solution.
Check user recommendation in the (german) forums to have less hassle with your websites, join with a bunch of friends/colleagues and get a "root server" and share the costs. almost any provider will do fine in this "class".

Have fun,
CirTap
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

User avatar
wshealy
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Jan 19, 2006 4:12 am

Re: secure it with php.ini

Post by wshealy » Thu Sep 07, 2006 6:12 pm

Guys
Thanks for all the input. This upgrade has been at best difficult. Last night I finally determined I was changing to php5. I renamed my exsisting joomla directory and started with a clean install of 1.0.11. I created .htaccess with one line AddType x-mapp-php5 .php. Checked phpinfo and I was off and running PHP 5.1.6 (defaults to globals off).

The clean install of joomla ran fine. I began adding back components and moving graphics.

I deleted VOTD which was causing the 500 error under php5

I loaded ijoomla's magazine 2.0 beta - very nice if a little over copyprotected. Gradually I added back the stuff that worked and ditched the rest.

I now need to add the bad spider and hot link code back to htaccess.

Progress by baby steps with several falls
W
Last edited by wshealy on Sat Sep 09, 2006 2:22 am, edited 1 time in total.
W

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: secure it with php.ini

Post by rliskey » Thu Sep 07, 2006 7:03 pm

I wouldn't discount what you're doing.  It's great progress!

You're configuring and upgrading a complex, highly interactive, multi-layered, multi-protocol, database-driven, client-server, user authenticated, world-accessible application that enables almost anyone to click on virtual buttons and get what they are looking for.

There ain't no such thing as baby steps here, only carefully thought through steps. You can even remember and document what you did! That's light years ahead of the crowd!

pactum
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Mon Sep 04, 2006 11:11 pm

Re: secure it with php.ini

Post by pactum » Thu Sep 07, 2006 7:23 pm

To clarify... if I use the php.ini in the root directory, I'll still need to put it into each individual directory (subdirectory)? Joomla has dozens of directories!  >:(

azspecter
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sun Sep 03, 2006 8:12 pm

Re: secure it with php.ini

Post by azspecter » Thu Sep 07, 2006 11:49 pm

ok guys- I am COMPLETELY lost on all this, and I'm posting for all the newbies who are in the same boat.  My host told me the only way to turn register_globals off is to do the php.ini file in the ROOT directory- they didn't mention all the subdirectories.

Can someone write a php.ini for Dummies post here and give us a step by step how-to?  ie- 1) FTP into your site  2) upload this file... etc etc

I think that would be EXTREMELY helpful!  Im seeing weird scripts, copy, delete, CGI-bins, etc directories. I'm just lost.  As important as this topic is, I think it should be a step by step how-to and put into FAQs or made sticky.  ANyone up for the challenge?  All us newbies would CERTAINLY appreciate it!!!
Thanks

Geoff
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3193
Joined: Sun Apr 16, 2006 12:20 am
Location: 127.0.0.1

Re: secure it with php.ini

Post by Geoff » Fri Sep 08, 2006 1:16 am

azspecter wrote: ok guys- I am COMPLETELY lost on all this, and I'm posting for all the newbies who are in the same boat.  My host told me the only way to turn register_globals off is to do the php.ini file in the ROOT directory- they didn't mention all the subdirectories.

Can someone write a php.ini for Dummies post here and give us a step by step how-to?  ie- 1) FTP into your site  2) upload this file... etc etc

I think that would be EXTREMELY helpful!  Im seeing weird scripts, copy, delete, CGI-bins, etc directories. I'm just lost.  As important as this topic is, I think it should be a step by step how-to and put into FAQs or made sticky.  ANyone up for the challenge?  All us newbies would CERTAINLY appreciate it!!!
Thanks
writing one right now
will edit this topic after I finish

edit: done
http://forum.joomla.org/index.php/topic,93191
Hopefully its more clear but at least it combines the key points in this topic.
Last edited by Geoff on Fri Sep 08, 2006 1:59 am, edited 1 time in total.
Backup, backup, backup!
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess

diegolaz
Joomla! Intern
Joomla! Intern
Posts: 59
Joined: Wed Oct 19, 2005 5:11 am

Re: secure it with php.ini

Post by diegolaz » Fri Sep 08, 2006 1:39 am

Hi, for the "register globals = off"..... is there something I can do if my hosting service doesn't allow local php.ini and it has register globals to on?
Here are the other changes I made:
  •   .htaccess with php_flag register_globals off --> gives me a 500 page error
  • set define( 'RG_EMULATION', 0 ); on the globals.php
Is there any other option??
Thanks!

Geoff
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3193
Joined: Sun Apr 16, 2006 12:20 am
Location: 127.0.0.1

Re: secure it with php.ini

Post by Geoff » Fri Sep 08, 2006 2:00 am

If you can't edit/create a custom php.ini file and turning register_globals off in .htaccess gives you an error, you might want to switch hosts....
Backup, backup, backup!
The "Master" .htacess file by Nicholas http://snipt.net/nikosdion/the-master-htaccess

User avatar
herotuxer
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Mon Sep 04, 2006 11:48 pm
Location: EbooksHeaven.org
Contact:

Re: secure it with php.ini

Post by herotuxer » Fri Sep 08, 2006 4:29 am

Hello, I tried to add :

allow_url_fopen = OFF;
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open;

but the error log said : Parse error:  syntax error, unexpected '=' in $HOME/php.ini on line 28


where line 28 is the code of allow_url_fopen. Why the = is unexpected, did I put the syntax the right way?

azspecter
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sun Sep 03, 2006 8:12 pm

Re: secure it with php.ini

Post by azspecter » Fri Sep 08, 2006 5:00 am

Igeoffi-
Hey bud- this is awesome. However, my host says that I can place a php.ini file in my root directory and it will override (so they say).  However- I don't know what to put in a php.ini file!  Can you possibly post the entire file for me so I can just copy, paste in a new file, and FTP it on up?
Thanks

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: secure it with php.ini

Post by rliskey » Fri Sep 08, 2006 6:11 am

It wouldn't be wise to just copy any php.ini file from one ISP to another. Each ISP and server has specific settings. Much better to read the documentation in these forums and at http://www.php.net,&nbsp; and learn how to adjust php.ini files yourself. It's really not hard. Might take you 20 minutes to learn.

Also, take a good look at the directions that come with the B &T scripts. You'll find a very easy technique for copying your ISP's main php.ini file. It's very important that you start with that. it also serves as a handy model for how to add more settings as you advance.

And, of course, since you test such changes on your devleopment server, you can try different php.ini settings, observe the results, and learn from them.

If you don't have a development server AND don't understand php.ini settings AND would like to keep your public site working, don't mess with php.ini settings!

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Fri Sep 08, 2006 9:38 am

Please folks, this is ridiculous! It's fun to read all those magic "working" solutions and how often they fail :laugh:
You're dealing with an extemly complex environment and almost each hoster is an expection.

Please read at least the page "Runtime Configuration" from the PHP manual and stop copying php.ini's all over the place:
http://php.net/manual/configuration.php This document lists 10 different locations where, when and in what order "php.ini" will be sought and loaded, the possible file names, dependancies on whether its CGI/CLI/module incl. differences of the operating systems.

Phrase your problem, request and questions clearly when you talk to your hoster and tell him what you PLAN TO DO and why!
Don't just ask "where to put the php.ini": the answer might be wrong for your host and Joomla setups but correct for others.
Tell him you're using Joomla (CMS) and whether it's installed in the web-root or in a subfolder. Tell him you want to secure your site a bit more by disabling register_globals. Ask for the Apache + PHP versions and its interface in use (cgi, module) for your web-space, and whether there are differences in how to change this or that and if it's possible/allowed to do at all.

Unless you're not fully aware of the exact server environment and versions any "best practice" may totally fail. Grasp the differences of the PHP CGI and module, what the "ROOT" of your server is, where PHP's working directory is etc. you're nothing but wasting your time trying to "fix" any of Apache's or PHP's configuration directives.
Search the PHP manual for the correct syntax of the settings, and check the available user comments. It's all explained! Some values MUST be numbers, some string, and some MUST be "quoted"...
http://php.net/manual/ini.php
rliskey wrote: It wouldn't be wise to just copy any php.ini file from one ISP to another. Each ISP and server has specific settings. Much better to read the documentation in these forums and at http://www.php.net,&nbsp; and learn how to adjust php.ini files yourself. It's really not hard. Might take you 20 minutes to learn.
I fully second that, rliskey, but I think no one will notice and follow your advice ...

Good luck,
CirTap
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

pactum
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Mon Sep 04, 2006 11:11 pm

Re: secure it with php.ini

Post by pactum » Fri Sep 08, 2006 5:20 pm

CirTap wrote: Please folks, this is ridiculous! It's fun to read all those magic "working" solutions and how often they fail :laugh:
You're dealing with an extemly complex environment and almost each hoster is an expection.
No, what's ridiculous is that Joomla is so insecure that it needs register globals off.

Kindred
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 182
Joined: Thu Aug 18, 2005 8:43 pm
Contact:

Re: secure it with php.ini

Post by Kindred » Fri Sep 08, 2006 5:30 pm

Pactum,

Joomla is not insecure.
Joomla does not require register_globals to be OFF...

There are some third party components (which are NOT under the control of anyone on the official joomla team) that have some vulnerabilities.

However, once again (and this apparently can not be said enough, since people keep thinking this is somehow joomla's fault)...
once again...  JOOMLA IS SECURE!

 

Locked

Return to “Security - 1.0.x”