Components not working with Register Globals Emulation off

[ramiotisdimos78]

Hi Guys

I can't set register_globals setting to OFF

HELP

I'M NEW MEMBER

[pe7er]

I can't set register_globals setting to OFF

First, ask your host if they would switch it off.
If you are on Shared Hosting they probably won't as it affect the whole server.

To do it yourself, read the info about Register Globals and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html


PS: please don't use All Caps...

[ramiotisdimos78]

i create a php.ini file .in all folders ...but nothing

My webhost...can't switch it to OFF

Helppp
I want to change it to work mosDirectory .....Now in administartor panel.....when i go to mosdirectory configuration...and change  configuration and the hit save button....It's isn't be any change

help me
help me

[zvezda]

Hello, hello.

Does anyone know why I get an security error
PHP register_globals setting is `ON` instead of `OFF`
I changed rg emulation from 1 to 0 but still has a warning

thanks in advance

[lerlacher]

hello, this means that in the server-global php configuration you have the setting on.

you have the following choices:

- ask your webhoster to make the change globally for your web hosting
- (try to) do it yourself as proposed here: http://forum.joomla.org/index.php/topic,168965.0.html

[Andresito]

If you have any component that does not work because of this, report them to me by PM or email.

I use mylinks 1.3  it which i know it does not work with rg_emulaion off, the strange thing is this

rg_emulaion was off in my site  till two days ago when suddenly it turned to ON all on it's own, i see that in the warning in control panel of joomla, but even so My Links do not work.

What is the reason it change to ON and how can i fix it, i have looked already in the php.ini, but it is off, where else should i look for

[lerlacher]

hello,

please defferentiate: register_globals is a php setting. It makes post- and get-arguments variables, so url.com/script.php?abc=1 would result in the variable $abc with the value "1" in your script.

rg_emulation is a jomla setting, which does the same thing.

So - which one is turned ON in your site?and what does phpinfo() say?

[Kingspawn]

ok i used the code and i still get
Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP register_globals setting is `ON` instead of `OFF`
but it's set to "0" 

[Chrissy101]

I set register_globals to off in the globals.php file like this:

define( 'RG_EMULATION', 0 );

but I still get this error when i log into the back end of my site and none of the pop ups for the page editor works...

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP register_globals setting is `ON` instead of `OFF`


Any ideas?

[pe7er]

I set register_globals to off in the globals.php file like this:
define( 'RG_EMULATION', 0 );

but I still get this error when i log into the back end of my site and none of the pop ups for the page editor works...
Following PHP Server Settings are not optimal for Security and it is recommended to change them:
    * PHP register_globals setting is `ON` instead of `OFF`

RG_Emulation & Register Globals are two different settings...
Info about Register Globals & RG_Emulation and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html

[Chrissy101]

RG_Emulation & Register Globals are two different settings...
Info about Register Globals & RG_Emulation and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html

Thanks! The error is now gone but i still have some issues with the page editor. When i try to press on the HTML button or insert link button  I get a blank pop up window. Any ideas as to why it won't load properly? I thought it was because of the register globals but that's fixed now and i still have the same issue.

[paulmark]

I am stumped.  I still get this message in Joomla Admin (ver 1.0.12):

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * PHP register_globals setting is `ON` instead of `OFF`

My globals.php file is set to:
define( 'RG_EMULATION', 0 );

This is in my .htaccess file:

php_flag register_globals off
php_flag magic_quotes_gpc on

Running:
Apache Web Serve ver: 2.0.52
MySQL ver: 4.1.21
Joomla Ver: 1.0.12
PHP Version 4.4.4

What am I missing?

I set register_globals to off in the globals.php file like this:
define( 'RG_EMULATION', 0 );

but I still get this error when i log into the back end of my site and none of the pop ups for the page editor works...
Following PHP Server Settings are not optimal for Security and it is recommended to change them:
    * PHP register_globals setting is `ON` instead of `OFF`

RG_Emulation & Register Globals are two different settings...
Info about Register Globals & RG_Emulation and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html

[Kingspawn]

I am stumped.  I still get this message in Joomla Admin (ver 1.0.12):

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

    * PHP magic_quotes_gpc setting is `OFF` instead of `ON`
    * PHP register_globals setting is `ON` instead of `OFF`

My globals.php file is set to:
define( 'RG_EMULATION', 0 );

This is in my .htaccess file:

php_flag register_globals off
php_flag magic_quotes_gpc on

Running:
Apache Web Serve ver: 2.0.52
MySQL ver: 4.1.21
Joomla Ver: 1.0.12
PHP Version 4.4.4

What am I missing?

I set register_globals to off in the globals.php file like this:
define( 'RG_EMULATION', 0 );

but I still get this error when i log into the back end of my site and none of the pop ups for the page editor works...
Following PHP Server Settings are not optimal for Security and it is recommended to change them:
    * PHP register_globals setting is `ON` instead of `OFF`

RG_Emulation & Register Globals are two different settings...
Info about Register Globals & RG_Emulation and how to configure:
http://forum.joomla.org/index.php/topic,93640.0.html

I have the same problem, and so for no solution
and now on my other servers i can not use the fast CGI fast PHP script , if i do the same error message comes up in joomla.....
This would not be a problem so much but i have these hackers on my back... so beware of these guys

[Moderator note; info on hacker site removed]

[Robin]

Moderator note; at Kingspawn, please do not post such info in public, it will only draw there attention. No need to post this in public.

[Kingspawn]

Moderator note; at Kingspawn, please do not post such info in public, it will only draw there attention. No need to post this in public.

sorry...... but they do make me so mad that hackers can get away with changing the contest of my site, and there is nothing anyone can do about it. 

[Robin]

No worries, I share your concern. There are some useful topics in the Security forum, to make your site as secure as possible, those are worth a read. Back on topic... 

[dekstrom]

I'm really new at this.  I tried some of the settings  listed in the posts, and read the security info. I still get the error

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

PHP register_globals setting is `ON` instead of `OFF`

I did have the one about RG EMULATION, but editing the globals.php fixed that one.

I tried a .htaccess file but got this error when I tried to reload the backend Joomla! admin

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webadmin@kundenserver.de and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

I also tried creating a php.ini file, no go.

What am I missing?

[Kingspawn]

I'm really new at this.  I tried some of the settings  listed in the posts, and read the security info. I still get the error

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

PHP register_globals setting is `ON` instead of `OFF`

I did have the one about RG EMULATION, but editing the globals.php fixed that one.

I tried a .htaccess file but got this error when I tried to reload the backend Joomla! admin

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webadmin@kundenserver.de and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.


Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

I also tried creating a php.ini file, no go.

What am I missing?

I tried all of that too. It has to do with how the server is set. Some providers leave it on now, and your right if it is off then you need the interpreter - PHP.ini file  to translate the PHP. my provider says i will not be hacked again if i change my pass word, but there is a hole in the programing of PHP when globals are left on. well that how I undersand it so far.
Does anyone know how they hack Joomla. If i new how , i my be able to pulg the hole some how. sort of re-naming all the directors, and the SQL database and edited all the files to conform to the re-naming.... there must be a better way.      

[rliskey]

Does anyone know how they hack Joomla.

Here are a few of the most common methods that come to mind. I'm probably forgetting many equally good methds:

1. Weak server administration (such as telling you you can't get hacked again if you change your password!) You should get that in writing with a money back guarantee!

2. Vulnerable PHP configuration, such as leaving register_globals on.

3. Cross site attacks from other sites on your shared server. (Related to #1 and #2)

4. Hacked personal computer key logging.

5. No SSL server and packet sniffing.

6. Brute force password attacks, perhaps combined with poor password choices.

7. Vulnerable Joomla extensions installed.

8. Other vulnerable PHP scripts installed. (Also perl, tcl, java, etc.)

9. Vulnerable MySQL configuration (related to #1)

10. Vulnerable backups, such as left in your web directory or grabbed en route during email.

11. Vulnerable tmp and session directories (related to #1)

12. Old version of Joomla! installed.

13. Multiple templates installed, some of which include security hacks.

[Kingspawn]

Does anyone know how they hack Joomla.

Here are a few of the most common methods that come to mind. I'm probably forgetting many equally good methds:

1. Weak server administration (such as telling you you can't get hacked again if you change your password!) You should get that in writing with a money back guarantee!

2. Vulnerable PHP configuration, such as leaving register_globals on.

3. Cross site attacks from other sites on your shared server. (Related to #1 and #2)

4. Hacked personal computer key logging.

5. No SSL server and packet sniffing.

6. Brute force password attacks, perhaps combined with poor password choices.

7. Vulnerable Joomla extensions installed.

8. Other vulnerable PHP scripts installed. (Also perl, tcl, java, etc.)

9. Vulnerable MySQL configuration (related to #1)

10. Vulnerable backups, such as left in your web directory or grabbed en route during email.

11. Vulnerable tmp and session directories (related to #1)

12. Old version of Joomla! installed.

13. Multiple templates installed, some of which include security hacks.

guilty of many of these, I have no control over number 2. and yes the site i was talking about was hack yet again, yet on my other two servers Joomla runs fine, and none of thse 9 site have been hacked, but i do get , (spamers) or silent refrigerants signing up who never active that i just delete or block. BUT thanks for this list , I will use a security template for all my sites.

[rliskey]

I have no control over number 2 (register_globals ON)

"Buyer Beware!"

Every site on a shared server with register_globals set ON is potentially a sitting duck. If you use such a server, you should be surprised if your site is NOT compromised.

Note that turning register_globals OFF on your site does nothing to protect you from other sites where it is still on. You do get some cross-site protection from good open_basedir settings, but that's a little like leaving the front door open and hoping everyone's safe because the bedroom doors are closed.

For security reasons, the use of register_globals has been depreciated on the official PHP site for years. Any ISP who doesn't turn it off is just trying to placate lazy customers who don't want to fix vulnerable code.

Note that register_globals is one of the 'features' that makes PHP a joke in many hardcore programmer circles. register_globals breaks one of the cardinal rules of good programming: Always know exactly where, when, and how your variables are set.

  Q: How do you write an insecure application?
  A: Use PHP!
  Often followed by general laughter and very quiet groans.

PHP CAN be secure, but ONLY if nutty options, such as register_globals are tuned OFF!

Best advise I can give is to find an ISP that does not support lazy customers. Rise above that muddle.

Note that your ISP contract will release them from all responsibility in the event of an attack. If your site gets blamed for causing a vulnerability, it may get shut down, and recovery will be your problem.

It's much easier to deal with the relatively minor challenge of using well written code.

Not coincidentally, that's what someone should have pointed out loud and clear when register_globals was first proposed. Note that as of PHP6, register_globals disappears from PHP for good.

Who wants to bet that no fool will write a PHP6 register_globals emulator, and some fool ISP will install it by default (as a convenience), and all that vulnerable code will continue to haunt us?

[Kingspawn]

Who wants to bet that no fool will write a PHP6 register_globals emulator, and some fool ISP will install it by default (as a convenience), and all that vulnerable code will continue to haunt us?

Yikes! on my better servers they have installed a FAST CGI script , I had turned it on oops, then noted that there was a security warning in Joomla , i'll have to tell them about it, as Joomla is one of there popular features. .. as for the other server, i'll just have to stick to flash for menu's  and html for everthing else,    . 

[rliskey]

FAST CGI

That's a new one for me. What are the Joomla security issues with that?

[Kingspawn]

FAST CGI

That's a new one for me. What are the Joomla security issues with that?

you get the same errors  G R "on' installed of G R "off"
I wonder if that has anything to do with the speed that pages load?

[rliskey]

you get the same errors  G R "on' installed of G R "off"

Does fastCGI ignore local .htaccess and php.ini files?

[friesengeist]

MOD EDIT: This information is now a Security and Performance FAQ:
http://help.joomla.org/component/option ... temid,268/

you get the same errors  G R "on' installed of G R "off"

Does fastCGI ignore local .htaccess and php.ini files?

Probably related:
http://forum.joomla.org/index.php/topic ... #msg884365

When PHP runs from FastCGI, that means that your server will run the PHP interpreter like an Apache module, but with the rights of your user account. Usually, the PHP interpreter is either running as the user of the webserver (which is fast, but insecure, since everyone's scripts run with the same rights), or as a CGI program, which is slow. So FastCGI is a good solution for shared hosting.

Now since the PHP interpreter runs just as one single instance, it is (AFAIK) not parsing the .htaccess or php.ini files per directory anymore. To change php.ini settings, your host needs to offer you some method to set up or modify your own php.ini, or at least parts of it. Here is how one of my hosts does this: it parses one php.ini file (which I can modify) once an hour, and puts some well defined settings into the php.ini file which is used by the web-server. Therefore, I am able to change e.g. register_globals, or choose if I want to run PHP4 or PHP5, but I can't set any other php settings on that host.

In your case, I would ask your host if they can either enable a similar method for you, or if they can at least adjust the register_globals php setting for you. That should be fairly easy for them.

[.::ErKs::.]

Hi all!

ArtForms => 2.1b4 works with PHP RG and Joomla RG Emulation OFF.

For more info please see:
http://joomlacode.org/gf/project/jartforms/

[jaatendi]

I am setting up the Expose photo gallery right now, and the System Check feature of the component is telling me I need to change the setting in globals.php to define( 'RG_EMULATION', 0 );

The issue is I my globals.php does not have that line of code in it. I don't understand?