Components not working with Register Globals Emulation off

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
ramiotisdimos78
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Apr 27, 2007 3:56 pm

Re: Components not working with Register Globals Emulation off

Post by ramiotisdimos78 » Fri Apr 27, 2007 5:14 pm

Hi Guys

I can't set register_globals setting to OFF

HELP

I'M NEW MEMBER

 
User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22515
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: Components not working with Register Globals Emulation off

Post by pe7er » Fri Apr 27, 2007 5:37 pm

ramiotisdimos78 wrote:I can't set register_globals setting to OFF
First, ask your host if they would switch it off.
If you are on Shared Hosting they probably won't as it affect the whole server.

To do it yourself, read the info about Register Globals and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html


PS: please don't use All Caps...
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

ramiotisdimos78
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Apr 27, 2007 3:56 pm

Re: Components not working with Register Globals Emulation off

Post by ramiotisdimos78 » Fri Apr 27, 2007 5:59 pm

i create a php.ini file .in all folders ...but nothing

My webhost...can't switch it to OFF

Helppp
I want to change it to work mosDirectory .....Now in administartor panel.....when i go to mosdirectory configuration...and change  configuration and the hit save button....It's isn't be any change

help me
help me

zvezda
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Fri Jan 19, 2007 7:07 pm

Re: Components not working with Register Globals Emulation off

Post by zvezda » Sat May 12, 2007 9:33 am

Hello, hello.

Does anyone know why I get an security error
PHP register_globals setting is `ON` instead of `OFF`
I changed rg emulation from 1 to 0 but still has a warning

thanks in advance

lerlacher
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Apr 01, 2007 6:57 pm

Re: Components not working with Register Globals Emulation off

Post by lerlacher » Sat May 12, 2007 10:11 am

hello, this means that in the server-global php configuration you have the setting on.

you have the following choices:

- ask your webhoster to make the change globally for your web hosting
- (try to) do it yourself as proposed here: http://forum.joomla.org/index.php/topic,168965.0.html

Andresito
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Sun Jan 28, 2007 10:19 pm

Re: Components not working with Register Globals Emulation off

Post by Andresito » Sun May 13, 2007 8:56 am

If you have any component that does not work because of this, report them to me by PM or email.
I use mylinks 1.3  it which i know it does not work with rg_emulaion off, the strange thing is this

rg_emulaion was off in my site  till two days ago when suddenly it turned to ON all on it's own, i see that in the warning in control panel of joomla, but even so My Links do not work.

What is the reason it change to ON and how can i fix it, i have looked already in the php.ini, but it is off, where else should i look for
Last edited by Andresito on Sun May 13, 2007 9:04 am, edited 1 time in total.

lerlacher
Joomla! Intern
Joomla! Intern
Posts: 63
Joined: Sun Apr 01, 2007 6:57 pm

Re: Components not working with Register Globals Emulation off

Post by lerlacher » Sun May 13, 2007 10:04 am

hello,

please defferentiate: register_globals is a php setting. It makes post- and get-arguments variables, so url.com/script.php?abc=1 would result in the variable $abc with the value "1" in your script.

rg_emulation is a jomla setting, which does the same thing.

So - which one is turned ON in your site?and what does phpinfo() say?
Last edited by lerlacher on Sun May 13, 2007 10:07 am, edited 1 time in total.

Kingspawn
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun May 20, 2007 6:01 am

Re: Components not working with Register Globals Emulation off

Post by Kingspawn » Fri Jun 08, 2007 4:39 am

ok i used the code and i still get
Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP register_globals setting is `ON` instead of `OFF`
but it's set to "0"  :'(

Chrissy101
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Jul 26, 2006 6:27 pm

Re: Components not working with Register Globals Emulation off

Post by Chrissy101 » Thu Jun 14, 2007 8:04 pm

I set register_globals to off in the globals.php file like this:

define( 'RG_EMULATION', 0 );

but I still get this error when i log into the back end of my site and none of the pop ups for the page editor works...

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP register_globals setting is `ON` instead of `OFF`


Any ideas?

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22515
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: Components not working with Register Globals Emulation off

Post by pe7er » Thu Jun 14, 2007 8:59 pm

Chrissy101 wrote:I set register_globals to off in the globals.php file like this:
define( 'RG_EMULATION', 0 );

but I still get this error when i log into the back end of my site and none of the pop ups for the page editor works...
Following PHP Server Settings are not optimal for Security and it is recommended to change them:
    * PHP register_globals setting is `ON` instead of `OFF`
RG_Emulation & Register Globals are two different settings...
Info about Register Globals & RG_Emulation and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

Chrissy101
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Jul 26, 2006 6:27 pm

Re: Components not working with Register Globals Emulation off

Post by Chrissy101 » Thu Jun 14, 2007 9:36 pm

pe7er wrote: RG_Emulation & Register Globals are two different settings...
Info about Register Globals & RG_Emulation and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html
Thanks! The error is now gone but i still have some issues with the page editor. When i try to press on the HTML button or insert link button  I get a blank pop up window. Any ideas as to why it won't load properly? I thought it was because of the register globals but that's fixed now and i still have the same issue.

User avatar
paulmark
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 143
Joined: Thu Nov 24, 2005 4:14 am
Location: Vancouver, Canada
Contact:

Re: Components not working with Register Globals Emulation off

Post by paulmark » Thu Jun 28, 2007 3:54 pm

I am stumped.  I still get this message in Joomla Admin (ver 1.0.12):

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * PHP register_globals setting is `ON` instead of `OFF`

My globals.php file is set to:
define( 'RG_EMULATION', 0 );

This is in my .htaccess file:

php_flag register_globals off
php_flag magic_quotes_gpc on


Running:
Apache Web Serve ver: 2.0.52
MySQL ver: 4.1.21
Joomla Ver: 1.0.12
PHP Version 4.4.4

What am I missing?

pe7er wrote:
Chrissy101 wrote:I set register_globals to off in the globals.php file like this:
define( 'RG_EMULATION', 0 );

but I still get this error when i log into the back end of my site and none of the pop ups for the page editor works...
Following PHP Server Settings are not optimal for Security and it is recommended to change them:
    * PHP register_globals setting is `ON` instead of `OFF`
RG_Emulation & Register Globals are two different settings...
Info about Register Globals & RG_Emulation and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html
Building Web Communities[right]KaJoomla.com[/right]

Kingspawn
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun May 20, 2007 6:01 am

Re: Components not working with Register Globals Emulation off

Post by Kingspawn » Fri Jun 29, 2007 5:21 am

paulmark wrote: I am stumped.  I still get this message in Joomla Admin (ver 1.0.12):

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * PHP register_globals setting is `ON` instead of `OFF`

My globals.php file is set to:
define( 'RG_EMULATION', 0 );

This is in my .htaccess file:

php_flag register_globals off
php_flag magic_quotes_gpc on


Running:
Apache Web Serve ver: 2.0.52
MySQL ver: 4.1.21
Joomla Ver: 1.0.12
PHP Version 4.4.4

What am I missing?

pe7er wrote:
Chrissy101 wrote:I set register_globals to off in the globals.php file like this:
define( 'RG_EMULATION', 0 );

but I still get this error when i log into the back end of my site and none of the pop ups for the page editor works...
Following PHP Server Settings are not optimal for Security and it is recommended to change them:
    * PHP register_globals setting is `ON` instead of `OFF`
RG_Emulation & Register Globals are two different settings...
Info about Register Globals & RG_Emulation and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html
I have the same problem, and so for no solution
and now on my other servers i can not use the fast CGI fast PHP script , if i do the same error message comes up in joomla..... ???
This would not be a problem so much but i have these hackers on my back... so beware of these guys

[Moderator note; info on hacker site removed]
Last edited by Robin on Fri Jun 29, 2007 5:23 am, edited 1 time in total.

User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: Components not working with Register Globals Emulation off

Post by Robin » Fri Jun 29, 2007 5:24 am

Moderator note; at Kingspawn, please do not post such info in public, it will only draw there attention. No need to post this in public.

Kingspawn
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun May 20, 2007 6:01 am

Re: Components not working with Register Globals Emulation off

Post by Kingspawn » Fri Jun 29, 2007 5:31 am

RobInk wrote: Moderator note; at Kingspawn, please do not post such info in public, it will only draw there attention. No need to post this in public.
sorry...... but they do make me so mad that hackers can get away with changing the contest of my site, and there is nothing anyone can do about it.  :-[

User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: Components not working with Register Globals Emulation off

Post by Robin » Fri Jun 29, 2007 5:34 am

No worries, I share your concern. There are some useful topics in the Security forum, to make your site as secure as possible, those are worth a read. Back on topic...  ;)

dekstrom
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Mar 22, 2007 3:46 am

Re: Components not working with Register Globals Emulation off

Post by dekstrom » Thu Jul 05, 2007 2:48 pm

I'm really new at this.  I tried some of the settings  listed in the posts, and read the security info. I still get the error

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

PHP register_globals setting is `ON` instead of `OFF`


I did have the one about RG EMULATION, but editing the globals.php fixed that one.

I tried a .htaccess file but got this error when I tried to reload the backend Joomla! admin

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webadmin@kundenserver.de and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.


I also tried creating a php.ini file, no go.

What am I missing?

Kingspawn
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun May 20, 2007 6:01 am

Re: Components not working with Register Globals Emulation off

Post by Kingspawn » Thu Jul 05, 2007 5:45 pm

dekstrom wrote: I'm really new at this.  I tried some of the settings  listed in the posts, and read the security info. I still get the error

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

PHP register_globals setting is `ON` instead of `OFF`


I did have the one about RG EMULATION, but editing the globals.php fixed that one.

I tried a .htaccess file but got this error when I tried to reload the backend Joomla! admin

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webadmin@kundenserver.de and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.


I also tried creating a php.ini file, no go.

What am I missing?
I tried all of that too. It has to do with how the server is set. Some providers leave it on now, and your right if it is off then you need the interpreter - PHP.ini file  to translate the PHP. my provider says i will not be hacked again if i change my pass word, but there is a hole in the programing of PHP when globals are left on. well that how I undersand it so far.
Does anyone know how they hack Joomla. If i new how , i my be able to pulg the hole some how. sort of re-naming all the directors, and the SQL database and edited all the files to conform to the re-naming.... there must be a better way. :-[     

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Components not working with Register Globals Emulation off

Post by rliskey » Wed Jul 11, 2007 8:18 am

Does anyone know how they hack Joomla.
Here are a few of the most common methods that come to mind. I'm probably forgetting many equally good methds:

1. Weak server administration (such as telling you you can't get hacked again if you change your password!) You should get that in writing with a money back guarantee!

2. Vulnerable PHP configuration, such as leaving register_globals on.

3. Cross site attacks from other sites on your shared server. (Related to #1 and #2)

4. Hacked personal computer key logging.

5. No SSL server and packet sniffing.

6. Brute force password attacks, perhaps combined with poor password choices.

7. Vulnerable Joomla extensions installed.

8. Other vulnerable PHP scripts installed. (Also perl, tcl, java, etc.)

9. Vulnerable MySQL configuration (related to #1)

10. Vulnerable backups, such as left in your web directory or grabbed en route during email.

11. Vulnerable tmp and session directories (related to #1)

12. Old version of Joomla! installed.

13. Multiple templates installed, some of which include security hacks.

Kingspawn
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun May 20, 2007 6:01 am

Re: Components not working with Register Globals Emulation off

Post by Kingspawn » Wed Jul 11, 2007 11:28 am

rliskey wrote:
Does anyone know how they hack Joomla.
Here are a few of the most common methods that come to mind. I'm probably forgetting many equally good methds:

1. Weak server administration (such as telling you you can't get hacked again if you change your password!) You should get that in writing with a money back guarantee!

2. Vulnerable PHP configuration, such as leaving register_globals on.

3. Cross site attacks from other sites on your shared server. (Related to #1 and #2)

4. Hacked personal computer key logging.

5. No SSL server and packet sniffing.

6. Brute force password attacks, perhaps combined with poor password choices.

7. Vulnerable Joomla extensions installed.

8. Other vulnerable PHP scripts installed. (Also perl, tcl, java, etc.)

9. Vulnerable MySQL configuration (related to #1)

10. Vulnerable backups, such as left in your web directory or grabbed en route during email.

11. Vulnerable tmp and session directories (related to #1)

12. Old version of Joomla! installed.

13. Multiple templates installed, some of which include security hacks.

guilty of many of these, I have no control over number 2. and yes the site i was talking about was hack yet again, yet on my other two servers Joomla runs fine, and none of thse 9 site have been hacked, but i do get , (spamers) or silent refrigerants signing up who never active that i just delete or block. BUT thanks for this list , I will use a security template for all my sites.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Components not working with Register Globals Emulation off

Post by rliskey » Sat Jul 14, 2007 12:51 am

I have no control over number 2 (register_globals ON)
"Buyer Beware!"

Every site on a shared server with register_globals set ON is potentially a sitting duck. If you use such a server, you should be surprised if your site is NOT compromised.

Note that turning register_globals OFF on your site does nothing to protect you from other sites where it is still on. You do get some cross-site protection from good open_basedir settings, but that's a little like leaving the front door open and hoping everyone's safe because the bedroom doors are closed.

For security reasons, the use of register_globals has been depreciated on the official PHP site for years. Any ISP who doesn't turn it off is just trying to placate lazy customers who don't want to fix vulnerable code.

Note that register_globals is one of the 'features' that makes PHP a joke in many hardcore programmer circles. register_globals breaks one of the cardinal rules of good programming: Always know exactly where, when, and how your variables are set.

  Q: How do you write an insecure application?
  A: Use PHP!
  Often followed by general laughter and very quiet groans.

PHP CAN be secure, but ONLY if nutty options, such as register_globals are tuned OFF!

Best advise I can give is to find an ISP that does not support lazy customers. Rise above that muddle.

Note that your ISP contract will release them from all responsibility in the event of an attack. If your site gets blamed for causing a vulnerability, it may get shut down, and recovery will be your problem.

It's much easier to deal with the relatively minor challenge of using well written code.

Not coincidentally, that's what someone should have pointed out loud and clear when register_globals was first proposed. Note that as of PHP6, register_globals disappears from PHP for good.

Who wants to bet that no fool will write a PHP6 register_globals emulator, and some fool ISP will install it by default (as a convenience), and all that vulnerable code will continue to haunt us?
Last edited by rliskey on Sat Jul 14, 2007 12:58 am, edited 1 time in total.

Kingspawn
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun May 20, 2007 6:01 am

Re: Components not working with Register Globals Emulation off

Post by Kingspawn » Sat Jul 14, 2007 1:18 am

Who wants to bet that no fool will write a PHP6 register_globals emulator, and some fool ISP will install it by default (as a convenience), and all that vulnerable code will continue to haunt us?
Yikes! on my better servers they have installed a FAST CGI script , I had turned it on oops, then noted that there was a security warning in Joomla , i'll have to tell them about it, as Joomla is one of there popular features. .. as for the other server, i'll just have to stick to flash for menu's  and html for everthing else,  :'(  . 

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Components not working with Register Globals Emulation off

Post by rliskey » Sat Jul 14, 2007 1:36 am

FAST CGI
That's a new one for me. What are the Joomla security issues with that?

Kingspawn
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Sun May 20, 2007 6:01 am

Re: Components not working with Register Globals Emulation off

Post by Kingspawn » Sat Jul 14, 2007 1:47 am

rliskey wrote:
FAST CGI
That's a new one for me. What are the Joomla security issues with that?
you get the same errors  G R "on' installed of G R "off"
I wonder if that has anything to do with the speed that pages load?

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: Components not working with Register Globals Emulation off

Post by rliskey » Sun Jul 15, 2007 1:27 am

you get the same errors  G R "on' installed of G R "off"
Does fastCGI ignore local .htaccess and php.ini files?

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: Components not working with Register Globals Emulation off

Post by friesengeist » Sun Jul 15, 2007 11:49 am

MOD EDIT: This information is now a Security and Performance FAQ:
http://help.joomla.org/component/option ... temid,268/


rliskey wrote:
you get the same errors  G R "on' installed of G R "off"
Does fastCGI ignore local .htaccess and php.ini files?
Probably related:
http://forum.joomla.org/index.php/topic ... #msg884365
friesengeist wrote: When PHP runs from FastCGI, that means that your server will run the PHP interpreter like an Apache module, but with the rights of your user account. Usually, the PHP interpreter is either running as the user of the webserver (which is fast, but insecure, since everyone's scripts run with the same rights), or as a CGI program, which is slow. So FastCGI is a good solution for shared hosting.

Now since the PHP interpreter runs just as one single instance, it is (AFAIK) not parsing the .htaccess or php.ini files per directory anymore. To change php.ini settings, your host needs to offer you some method to set up or modify your own php.ini, or at least parts of it. Here is how one of my hosts does this: it parses one php.ini file (which I can modify) once an hour, and puts some well defined settings into the php.ini file which is used by the web-server. Therefore, I am able to change e.g. register_globals, or choose if I want to run PHP4 or PHP5, but I can't set any other php settings on that host.

In your case, I would ask your host if they can either enable a similar method for you, or if they can at least adjust the register_globals php setting for you. That should be fairly easy for them.
Last edited by rliskey on Sun Jul 15, 2007 9:02 pm, edited 1 time in total.
We may not be able to control the wind, but we can always adjust our sails

User avatar
.::ErKs::.
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Mon May 15, 2006 5:04 pm

Re: Components not working with Register Globals Emulation off

Post by .::ErKs::. » Mon Sep 10, 2007 8:56 am

Hi all!

ArtForms => 2.1b4 works with PHP RG and Joomla RG Emulation OFF.

For more info please see:
http://joomlacode.org/gf/project/jartforms/

jaatendi
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 190
Joined: Tue Jun 10, 2008 6:09 pm
Contact:

Re: Components not working with Register Globals Emulation off

Post by jaatendi » Fri Jul 24, 2009 6:00 pm

I am setting up the Expose photo gallery right now, and the System Check feature of the component is telling me I need to change the setting in globals.php to define( 'RG_EMULATION', 0 );

The issue is I my globals.php does not have that line of code in it. I don't understand?

 

Locked

Return to “Security - 1.0.x”