secure it with php.ini

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
azspecter
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Sun Sep 03, 2006 8:12 pm

Re: secure it with php.ini

Post by azspecter » Fri Sep 08, 2006 6:30 pm

Hey guys-
I appreciate all the input here, but now i am confused. Before, it was throw a simple php.ini file in every directory and you're done. Now I'm hearing that it's much more complex than that, and all I will get is major problems trying to do it that way.

I am about to do a 'Grand Opening' and marketing blitz on my site this weekend. Before I do that, I want to make sure some idiot can't get in there and destroy it all (well, I'd like to make it as difficult as possible for them to).  As a newbie who doesn't know php at all- or server stuff, and is hosted at GoDaddy.com- what do I do? What's the most effective way to secure my site as best as possible? And no, switching servers/hosts is not an option at this point.

Thanks guys, I really appreciate it all!

 
User avatar
dam-man
Joomla! Exemplar
Joomla! Exemplar
Posts: 7961
Joined: Fri Sep 09, 2005 2:13 pm
Location: The Netherlands
Contact:

Re: secure it with php.ini

Post by dam-man » Fri Sep 08, 2006 9:30 pm

Try this one:
1) hoster sets global default server settings right in php.ini file (usually in /etc/php.ini)
It's working for the whole site. It's the global php.ini file. 
When they have Ensim Pro control Panels the client can change the php.ini file them selves  :)
Robert Dam - Joomla Forum Moderator
Dutch Boards | Joomla Coding Boards | English Support Boards

User avatar
wshealy
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Jan 19, 2006 4:12 am

Re: secure it with php.ini

Post by wshealy » Sat Sep 09, 2006 2:19 am

It is possible to get 1&1 site clean!!! :)
I have made great progress now running 1.0.11 under php 1.5.6 after deleting mod_votd (500 error).
We have gotten the whole site cleaned up for 1.5 beta

I can't say enough for Ken and Open-SEF they both rock. Ken made a personal appearance on my site to tune Open-SEF up and eliminate problems I had caused by my lack of understanding.

I also solved a problem that bit me while the site was down when Google crawled me while I was offline and I lost all my site information in Google. Google for webmasters says a site should return a "503 Service unavailable" when it is down for service. Of course joomla doesn't. My version now does. Wish I could figure out who could get this code added to the next release.

Code: Select all

if ( $mosConfig_offline == 1 ) {
	header("HTTP/1.1 503 Service unavailable");
	header("Status: 503 Service unavailable");
	}
I added it to offline.php about 4 lines down right after define globals.

Goes off to be a happy camper! Thanks for everyones help.
W

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Sat Sep 09, 2006 11:07 am

pactum wrote: No, what's ridiculous is that Joomla is so insecure that it needs register globals off.
Sorry, but you apparently have no clue about the subject. J! runs perfectly well with RG off.
Almost any "security leakage" in Joomla! was based on PHP's own holes that made *every* PHP application vulnerable the same way, and the fact that there are masses of extensions written by unskilled "developers". There is nothing like a "secure software" of that complexity, but the J! developers did an excellent job is fixing every new hole that was found in either PHP or caused by some behaviour sombody was able to foresee.
Last edited by CirTap on Sat Sep 09, 2006 11:10 am, edited 1 time in total.
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

User avatar
alexwalker
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Thu Sep 15, 2005 3:54 pm
Location: Lancaster, UK (near the Lake District)
Contact:

Re: secure it with php.ini

Post by alexwalker » Sat Sep 09, 2006 12:20 pm

I asked my hot streamline if they could turn off register_globals in php.ini and this is their reply. Should I move to the windows server, or move host?

Hi Alex Walker,

Thanks for your query.

Please note that as you are hosted on Linux, register_globals are turned on. They are off on our Windows servers. You are able to move between servers through this control panel using the Switch Windows/Linux option.

We hope you are enjoying your weekend.

Kind Regards,
Support Department
Streamline.Net - The home of good value web hosting
Alex Walker
"to assume is to make an ass of u and me"

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Sat Sep 09, 2006 1:17 pm

alexwalker wrote: I asked my hot streamline if they could turn off register_globals in php.ini and this is their reply. Should I move to the windows server, or move host?
Hi Alex,
best answer to give: it depends...
Some stuff you should consider:
- will the Windows Server run IIS or Apache as the web server? they differ in many aspects
- if Apache, good, but will it be the same version (e.g 1.3x or 2.x), if this is a "downgrade": dont' move
- will PHP will be the same version, or probably higher? 4.4.x or 5.1.x are current. if this is a "downgrade": dont' move
- are any php extensions "missing"? usually they do.
- several "core" features of PHP/Apache do not exists for Windows by design; your apps may lack essential functionality
- are other "applications" or PHP scripts running on the affected domains? Check their requirements FIRST! Some simply don't run on Windows system (no matter what web server/PHP version/etc.)
- will this move also affect the database server? J! (incl. 1.5) only handles MySQL
- if MySQL, good, but is it the same or a higher version? MySQL4.x would be better, J! 1.5 will love native UTF-8 support.  if this is a "downgrade": dont' move

@all: don't be so paranoid about register_globals=on. Don't believe that if this value's off, your site is secure. It's one of many settings that result in a "little more security". If someone hacks the server, register_globals=off won't protect your site.
High security always implies less comfort! You can't have both. Nowhere and never: at home, your car, your web site.

J! handles RG in the "globals off emulation" and works with either on or off. But check your pool of installed extensions for vulnerabilities!! There's a sub forum in this bord. Get rid of anything that's weaking J! from inside.
Secure your folders and files via CHMOD/CHOWN as outlined in this excellent sticky: Joomla Administrator's Security Checklist Not everything will be possible to achieve, but there's a lot of things in that post each user can do as well.
"Lock" critical folders and only have them writeable if you really need to. There's no need to have configuration.php writeable all the time: configure once, lock it and done.

CirTap
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

loman
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Dec 23, 2005 9:21 pm

Re: secure it with php.ini

Post by loman » Sat Sep 09, 2006 5:43 pm

Can the php.ini file change regarding register_globals setting `OFF be added to .htaccess part of the default .htaccess file in 1.0.11 identified in Using .htaccess files to block exploit attempts at http://forum.joomla.org/index.php/topic,75376.0.html ???

corsebou
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Sat Jul 29, 2006 8:56 pm

Re: secure it with php.ini

Post by corsebou » Sun Sep 10, 2006 12:50 pm

Hello, all!

I am trying to secure my Joomla 1.0.11 since a few days and I read here that I have to "turn the Register globals off", by modyfing the php.ini

However as I am on a "shared server" my hosting refuses to change it for me. (I dont have access to php,ini myself)
I asked for the other technique, that is the "turn the register globals off" from the .htaccess but I asked it before to the technical support of the hosting and they told me that its not possible, they have bloqued that technique and If I try I will have an "error 500"...

I am starting to think its a very limited hosting but I paid for it two months ago I still have for 10 months left with them...
:(

They also told me that putting a "php.ini" in all folders wont work.

Their advice was to always update Joomla as soon as possible and that its secure anyway like it...  :-\  I do understand that its a convenient response but...

So Should I be affraid of my register globals on?
(Its my only security warning, I have even double protected the administrator folder by .htaccess password and changed the "admin" login)

Is there another possibility to change it without the techinques explained here "override, changing php.ini or .htaccess" ?
Edit: I read the excellent explanations for registerglobals, here: http://forum.joomla.org/index.php/topic,93640.0.html but still concerned....


:)
Cheers!!

My hosting is OVH.FR by the way...
Last edited by corsebou on Sun Sep 10, 2006 12:55 pm, edited 1 time in total.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: secure it with php.ini

Post by rliskey » Sun Sep 10, 2006 8:41 pm

Hey guys-
I appreciate all the input here, but now i am confused. Before, it was throw a simple php.ini file in every directory and you're done. Now I'm hearing that it's much more complex than that, and all I will get is major problems trying to do it that way.

I am about to do a 'Grand Opening' and marketing blitz on my site this weekend. Before I do that,
If setting up a secure site confuses you, hire a Joomla! professional to review your site's status. Factoring in what it costs to learn the hard way AFTER you've been hacked will make this investment seem a bargain.

Joomla! is free. Wisdom and experience can be priceless.

Programit
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Tue Feb 21, 2006 11:27 pm

Re: secure it with php.ini

Post by Programit » Sun Sep 10, 2006 10:30 pm

My hosts doesn not allow any access to the PHP.INI file. Zero, Nadda, None!
I contacted them and they assured me that having the global settings to on is a very minimal risk yet is required for many scripts.
To change hosts for a minor setting is a bit extreme, not to mention expense.

If someone could tell me how to get rid of the warning message in 1.0.11 then I'd save a lot of time hacking code to remove it.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: secure it with php.ini

Post by rliskey » Mon Sep 11, 2006 12:13 am

To change hosts for a minor setting is a bit extreme, not to mention expense.
This is NOT a minor setting, as has been explained multiple times iin this forum, on the official PHP site, and elsewhere. If you are doing anything at all serious with Joomla!, you'll probably find getting cracked to be even more expensive. You may also find at that point that your host is no longer sending you comforting, "Don't you worry about a thing!" emails. Good luck!
If someone could tell me how to get rid of the warning message in 1.0.11 then I'd save a lot of time hacking code to remove it.
Hoping to save time by not learning anything and relying instead on whatever others tell you? Okay, here's how...

The process is similar to disabling the seatbelt warning in your car, and equally foolish:
  1. Find the warning by doing a global search for the offending text.
  2. Hack the code to say something you find more comforting, or just comment it out.
  3. Pray to the gods of your choice.
Last edited by rliskey on Mon Sep 11, 2006 8:12 am, edited 1 time in total.

Programit
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Tue Feb 21, 2006 11:27 pm

Re: secure it with php.ini

Post by Programit » Mon Sep 11, 2006 5:38 am

Sarcasm Noted!, no real help, but noted as a sign of IQ levels!
Sorry for trying to seek help, I won't do that again! 
Thanks for the great support for Joomla! ???

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: secure it with php.ini

Post by rliskey » Mon Sep 11, 2006 7:16 am

Okay, sorry about the sarcasm. Not sure how to help you though. The warning messages are important and only show in the backend to administrators. Hacking code to remove warnings does not seem like a very good idea.

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Mon Sep 11, 2006 8:43 am

loman wrote: Can the php.ini file change regarding register_globals setting `OFF be added to .htaccess part of the default .htaccess file in 1.0.11 identified in Using .htaccess files to block exploit attempts at http://forum.joomla.org/index.php/topic,75376.0.html ???
Welcome to the forums, loman
it can't be added (and activated) by default because it would have several drawbacks as mentioned a few times in this thread:
- this only works with PHP server module not CGI
- could break (poor written) 3PD extensions

CirTap
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

User avatar
Rhand
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 213
Joined: Sat Oct 01, 2005 3:09 pm
Location: World
Contact:

Re: secure it with php.ini

Post by Rhand » Tue Oct 03, 2006 10:24 am

I have been trying to get rid of these Joomla! admin warnings:

    *  PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * PHP register_globals setting is `ON` instead of `OFF`

for a while now and have rad quite a bit on this forum, but to now avail. I edited htaccess and added a php.ini, but the warnings are still there. I have to work it out myself cause the provider won't change the php.ini...

Here is the .htacces code I added:

Code: Select all

php_value session.save_path '/var/www/httpdocs/test/temp'
php_flag register_globals off 
magic_gpc_quotes = 1
register_globals = 0
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
allow_url_fopen = 0
And here is my php.ini:

Code: Select all

php_value register_globals 0
magic_quotes_gpc = on
I put it in my Joomla! root folder test/
What is missing here?
CEO Imagewize Ltd: webdesign | web development | branding
website: Imagewize.net

emagin
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 136
Joined: Sun Sep 11, 2005 7:46 pm
Location: san francisco, ca usa

Re: secure it with php.ini

Post by emagin » Tue Oct 03, 2006 3:10 pm

If you are securing via php.ini that may mean that you are running PHP in cgi mode.
If this is so, then you need to put that php.ini in every directory of site.
See the top of this thread, #10 about tools to facilitate this.

Social
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Sep 12, 2006 9:36 pm
Contact:

Re: secure it with php.ini

Post by Social » Tue Oct 03, 2006 8:01 pm

Rhand,

Make sure that the file you are editing is .htaccess and not ".htacces".

I use CWI http://www.cwihosting.com  They do not enable the use of a php.ini in user directories, but I can use a .htaccess file to accomplish what I need to do.  You only need to edit this file in your web server root directory to affect all subdirectories.

Append to the end of .htaccess:
php_flag register_globals off
php_flag allow_url_fopen off
php_flag magic_quotes_gpc on

Please note that disable_functions did not work for me in the .htaccess file.  I later found PHP documentation that said that  disable_functions can only be used in php.ini  Search for "disable_functions" at http://us2.php.net/manual/en/ini.php

For reference, see:
http://forum.joomla.org/index.php?topic=81058.0
http://forum.joomla.org/index.php/topic ... #msg455771



In addition, I edited globals.php and changed the following line:
define( 'RG_EMULATION', 0);

For reference, see:
http://forum.joomla.org/index.php/topic,81058.0.html

Regards,

Social     
http://www.social.com&nbsp; Tips for Life

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: secure it with php.ini

Post by rliskey » Wed Oct 04, 2006 2:59 am

Code: Select all

magic_gpc_quotes = 1
should be

Code: Select all

magic_quotes_gpc = 1

User avatar
Rhand
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 213
Joined: Sat Oct 01, 2005 3:09 pm
Location: World
Contact:

Re: secure it with php.ini

Post by Rhand » Wed Oct 04, 2006 3:46 am

emagin wrote: If you are securing via php.ini that may mean that you are running PHP in cgi mode.
If this is so, then you need to put that php.ini in every directory of site.
See the top of this thread, #10 about tools to facilitate this.

I installed info.php and I found that php.ini is installed in /etc/php.ini .

I edited php.ini as rlsikey and social said. Futhermore, I added php.info to a few other folders (I didn't edit the file).... But I really don't know if my php.ini is running in cgi mode. I only know that I still have those darn warnings:

    *  PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * PHP register_globals setting is `ON` instead of `OFF`

And when I checked the php.ini I saw that it doens't check my test folder for other .ini files...

Code: Select all

additional .ini files parsed 	/etc/php.d/domxml.ini, /etc/php.d/gd.ini, /etc/php.d/imap.ini, /etc/php.d/mbstring.ini, /etc/php.d/mysql.ini, /etc/php.d/pgsql.ini
Rhand
Last edited by Rhand on Wed Oct 04, 2006 3:51 am, edited 1 time in total.
CEO Imagewize Ltd: webdesign | web development | branding
website: Imagewize.net

rjmccorkle
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Sat May 13, 2006 9:10 pm
Location: Az-USA
Contact:

Re: secure it with php.ini

Post by rjmccorkle » Tue Oct 17, 2006 4:40 am

NOTE for users of 1and1 - i emailed tech support and they were willing to work with me on this issue - however i found the answer on here.  I believe it's secure now as it doesn't have that annoying register_globals is STILL ON!  in red anymore. 

So yes, I did what the other guy did with the AddType x-mapp-php5 .php in the .htaccess file... but I actually had to place this as the FIRST LINE of the .htaccess.  I was thinking I'd have to create my own php.ini and what a pain that was turning out to be- I'm glad this worked.  1and1 is AWESOME and they support joomla - you just gotta read into it a little bit so don't be swayed by posts on here where peeps have had troubles w/ 1and1, they know what they're doing but you have to also.

I grabbed the joomla .htaccess for my site actually - here it is in case anyone is curious.  I was also curious about how to get  clean url's to work- it seemed to be rather clunky and it doesn't really create anything that people remember anyhow (/content/junk/junk/junk/) so I just set it back to default.

here's my .htaccess in case anyone's curious:

AddType x-mapp-php5 .php

##
# @version $Id: htaccess.txt 2368 2006-02-14 17:40:02Z stingrey $
# @package Joomla
# @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##


#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
# Only use one of the two SEF sections that follow.  Lines that can be uncommented
# (and thus used) have only one #.  Lines with two #'s should not be uncommented
# In the section that you don't use, all lines should start with #
#
# For Standard SEF, use the standard SEF section.  You can comment out
# all of the RewriteCond lines and reduce your server's load if you
# don't have directories in your root named 'component' or 'content'
#
# If you are using a 3rd Party SEF or the Core SEF solution
# uncomment all of the lines in the '3rd Party or Core SEF' section
#
#####################################################

#####  SOLVING PROBLEMS WITH COMPONENT URL's that don't work #####
# SPECIAL NOTE FOR SMF USERS WHEN SMF IS INTEGRATED AND BRIDGED
# OR ANY SITUATION WHERE A COMPONENT's URL's AREN't WORKING
#
# In both the 'Standard SEF', and '3rd Party or Core SEF' sections the line:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# May need to be uncommented.  If you are running your Joomla/Mambo from
# a subdirectory the name of the subdirectory will need to be inserted into this
# line.  For example, if your Joomla/Mambo is in a subdirectory called '/test/',
# change this:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# to this:
# RewriteCond %{REQUEST_URI} ^(/test/component/option,com) [NC,OR] ##optional - see notes##
#
#####################################################


##  Can be commented out if causes errors, see notes above.
Options FollowSymLinks
Options +Indexes

#
#  mod_rewrite in use

RewriteEngine on
php_flag register_globals off
register_globals off



#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla/MamboDirectory (just / for root)

RewriteBase /
RewriteRule ^([a-z]+)\.html$ /index.php?$1 [R,L]



########## Begin Standard SEF Section
## ALL (RewriteCond) lines in this section are only required if you actually
## have directories named 'content' or 'component' on your server
## If you do not have directories with these names, comment them out.
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteRule ^(content/|component/) index.php
#
########## End Standard SEF Section


########## Begin 3rd Party or Core SEF Section
#
RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php
#
########## End 3rd Party or Core SEF Section
-Robert
Designer & Developer | Website Management Systems
http://www.RAinsites.com

gemigene
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Mon Oct 16, 2006 8:11 pm
Location: Gatineau, QC, Canada

Re: secure it with php.ini

Post by gemigene » Thu Oct 19, 2006 8:30 pm

Pumuckl wrote:
I can overide the php.ini file.

Is this a solution that i can use for a more secure Joomla?
Yes, this will secure your joomla!
But check out, whether all function of 3rd party addons or components will work after this.
You have to insert the php.ini file in each directory, it does not work recursive!
And you didn't need to use the parameter "phpinfo", only if you don't want to show the user your php-configurations.
I've used it and I see, that joomla works still fine after I inserted the php.ini.
Try it!

if you're able to override the global php.ini, please add "php_value register_globals off", too

php.ini:
-------------snip-------------
allow_url_fopen = OFF
php_value register_globals off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------
Thanks for the info but are those the only 3 lines I need in my php.ini file? I'm new at php and would like to make things as simple as possible till I fiddle around with it a bit more.

I'm with GoDaddy and I don't have a php.ini file in my root directory. I tried the .htaccess fix and it kept me from accessing my site so, I had to remove it.

Gemigene
Last edited by gemigene on Thu Oct 19, 2006 8:35 pm, edited 1 time in total.

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Thu Oct 19, 2006 8:39 pm

the code snippet is wrong, it mixes php.ini and .htaccess directives.
If AT ALL it should read:
-------------snip-------------
allow_url_fopen = OFF
register_globals = off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------
without php_value. This one only applies to the .htaccess file (or httpd.conf) WITH PHP running as a module.

Have fun & good luck,
CirTap
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

gemigene
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Mon Oct 16, 2006 8:11 pm
Location: Gatineau, QC, Canada

Re: secure it with php.ini

Post by gemigene » Thu Oct 19, 2006 8:50 pm

CirTap wrote: the code snippet is wrong, it mixes php.ini and .htaccess directives.
If AT ALL it should read:
-------------snip-------------
allow_url_fopen = OFF
register_globals = off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------
without php_value. This one only applies to the .htaccess file (or httpd.conf) WITH PHP running as a module.

Have fun & good luck,
CirTap
Thanks but how do I do it? Suggestions anyone?

Gemigene

User avatar
CirTap
Joomla! Explorer
Joomla! Explorer
Posts: 418
Joined: Mon Dec 12, 2005 5:34 pm

Re: secure it with php.ini

Post by CirTap » Thu Oct 19, 2006 9:05 pm

read this thread, it has all be discussed here... in length :-)
you'll find more than one "solution" posted, one may match and work for your server environment, or none at all.
messing with php.ini is not always necessary, and more often not even possible, for very good reasons.

I also recommend reading this sticky *carefully*, written by rliskey: http://forum.joomla.org/index.php/topic,81058.0.html
The sticky contains other possible "ways" to secure your installation, some may be applicable for you.

Have fun,
CirTap
You can have programs written fast, well, and cheap, but you only get to pick 2 ...

"I love deadlines. I like the whooshing sound they make as they fly by." Douglas Adams

gemigene
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Mon Oct 16, 2006 8:11 pm
Location: Gatineau, QC, Canada

Re: secure it with php.ini

Post by gemigene » Thu Oct 19, 2006 9:28 pm

nathandiehl wrote: create a new php file with teh contents:



its results will give you the location.
Did that and GoDaddy's results are: /web/conf/php.ini, I wonder if I can access it...

Gemigene

Sreejith
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Sep 14, 2006 10:58 am

Re: secure it with php.ini

Post by Sreejith » Fri Oct 20, 2006 4:27 pm

I cant find  php.ini on my server  :o ???

gemigene
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Mon Oct 16, 2006 8:11 pm
Location: Gatineau, QC, Canada

Re: secure it with php.ini

Post by gemigene » Fri Oct 20, 2006 7:02 pm

Sreejith wrote: I cant find  php.ini on my server  :o ???
Are you with GoDaddy? If so, you can create your own php.ini file and upload it to all your Joomla directories.

I tried the .htacess file as described in the forums but it didn't work out for me, led me to a server error.

Gemigene

p.s. I would really like to use Joomla as a front end to my site but if I keep running into problems, chances are I'll just switch back to good old HTML programming.I've created quite a few HTML sites and hardly ever ran into problems.

rjmccorkle
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Sat May 13, 2006 9:10 pm
Location: Az-USA
Contact:

Re: secure it with php.ini

Post by rjmccorkle » Fri Oct 20, 2006 11:52 pm

you can contact me at robert dot_mccorkle at gmail _ dot com - i'm also on aim/google chat
-Robert
Designer & Developer | Website Management Systems
http://www.RAinsites.com

Sreejith
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Sep 14, 2006 10:58 am

Re: secure it with php.ini

Post by Sreejith » Sat Oct 21, 2006 8:59 am

gemigene wrote:
Sreejith wrote: I cant find  php.ini on my server  :o ???
Are you with GoDaddy? If so, you can create your own php.ini file and upload it to all your Joomla directories.

I tried the .htacess file as described in the forums but it didn't work out for me, led me to a server error.

Gemigene

p.s. I would really like to use Joomla as a front end to my site but if I keep running into problems, chances are I'll just switch back to good old HTML programming.I've created quite a few HTML sites and hardly ever ran into problems.
No. My site is hosted by Contrast Hosting  :'( how can i make a custom php.ini?  ???

gemigene
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Mon Oct 16, 2006 8:11 pm
Location: Gatineau, QC, Canada

Re: secure it with php.ini

Post by gemigene » Sat Oct 21, 2006 7:24 pm

Sreejith wrote:
gemigene wrote:
Sreejith wrote: I cant find  php.ini on my server  :o ???
Are you with GoDaddy? If so, you can create your own php.ini file and upload it to all your Joomla directories.

I tried the .htacess file as described in the forums but it didn't work out for me, led me to a server error.

Gemigene

p.s. I would really like to use Joomla as a front end to my site but if I keep running into problems, chances are I'll just switch back to good old HTML programming.I've created quite a few HTML sites and hardly ever ran into problems.
No. My site is hosted by Contrast Hosting  :'( how can i make a custom php.ini?  ???
Did you try asking their technical support to turn register_globals to OFF?

Gemigene

 

Locked

Return to “Security - 1.0.x”