Curl and allow_url_fopen and joomla updates

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
Minnie Mouse
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Fri Mar 23, 2007 6:28 pm

Curl and allow_url_fopen and joomla updates

Post by Minnie Mouse » Wed Dec 19, 2012 10:30 pm

hi,
so i have a bunch of staged 2.5 sites on a server while i build them. recently i had a malware incident on a site and my host added this (and more) to the php.ini file
allow_url_fopen = Off

now when i go to extensions discover updates it tells me i need allow_url_fopen On. so I turned it back on and then updates are discoverable BUT this represents a security risk.

it was my understanding that the extension manager first looks for Curl... and when i look in my php settings curl is enabled... so why is this happening??

thanks

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Curl and allow_url_fopen and joomla updates

Post by PhilD » Thu Dec 20, 2012 7:49 pm

Find a different host, your current one is not secure and does not understand security.

Proper setup will have this:
allow_url_fopen On
allow_url_include Off

Set php settings allow_url_fopen = to "On"

Make sure that allow_url_include is set to "Off" since that is the 'open house' for hackers. Hosts that do not know this simply turn everything off breaking many things as a result.

Joomla needs allow_url_fopen to be 'on' to make the upgrade work. There was discussion at one point but I don't think at this time (if ever) the extension manager will fall back to or use curl. Some hosts that turn off allow_url_fopen will also turn off curl.

No big deal as you can just download the patch, extract it, and upload with ftp, selecting overwrite all to apply the patch.

You can also upload the update package by ftp and extract it directly on the server using the domains file manager which will overwrite the changed files automatically.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Minnie Mouse
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Fri Mar 23, 2007 6:28 pm

Re: Curl and allow_url_fopen and joomla updates

Post by Minnie Mouse » Thu Dec 20, 2012 10:13 pm

cool.. thanks for the good info!!

hostking
Joomla! Apprentice
Joomla! Apprentice
Posts: 28
Joined: Sat Sep 01, 2012 7:02 pm
Contact:

Re: Curl and allow_url_fopen and joomla updates

Post by hostking » Thu Dec 27, 2012 8:36 pm

Nice - Thanks for this tip
Top Joomla and CMS Hosting And Domains Provider In South Africa
https://www.hostking.co.za/web-hosting

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 22153
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Re: Curl and allow_url_fopen and joomla updates

Post by pe7er » Fri Feb 01, 2013 4:44 pm

PhilD wrote:Find a different host, your current one is not secure and does not understand security.

Proper setup will have this:
allow_url_fopen On
allow_url_include Off
This Joomla documentation http://docs.joomla.org/Security_Checkli ... _url_fopen states
Don't use PHP allow_url_fopen
Should it be changed? to
Don't use PHP allow_url_include, but it's okay to use allow_url_fopen to get Joomla's One-Click-Update to work properly
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Co-developer of d2 Content https://data2site.com/joomla-extensions/d2-content

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19553
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Curl and allow_url_fopen and joomla updates

Post by leolam » Fri Feb 01, 2013 4:47 pm

leolam wrote:
pe7er wrote: This Joomla documentation http://docs.joomla.org/Security_Checkli ... _url_fopen states
Don't use PHP allow_url_fopen
Should it be changed? to
Don't use PHP allow_url_include, but it's okay to use allow_url_fopen to get Joomla's One-Click-Update to work properly
Yes it should be changed for sure

suggestion:

Never use PHP allow_url_include which is a serious security threat, but use allow_url_fopen to get Joomla's One-Click-Update to work properly

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Curl and allow_url_fopen and joomla updates

Post by PhilD » Fri Feb 01, 2013 7:25 pm

Ok sounds good to me. While on the page should something be done with magic quotes gpc? J3.0 requires magic quotes to be off and it (the quotes) is depreciated as of PHP 5.3.0 and removed from php as of PHP 5.4.0.

The page is not protected so it can be edited by any. I won't have time today or tomorrow, but maybe over the weekend if you want me to make the edits.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19553
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Curl and allow_url_fopen and joomla updates

Post by leolam » Sat Feb 02, 2013 1:30 am

PhilD wrote: I won't have time today or tomorrow, but maybe over the weekend if you want me to make the edits.
I know Phil and not lazy but simply leave it in your skillful hands.

Re. Magic quotes: something in your line probably: "Joomla advises MQ to be off in the Joomla 2.5-branch. J3.0 requires magic quotes to be off and MQ is depreciated as of launch PHP 5.3.0 (30-06-2009) and has been removed from php as of PHP 5.4.0."

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Curl and allow_url_fopen and joomla updates

Post by PhilD » Sat Feb 02, 2013 4:53 am

Sure that's fine
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

alwarren
Joomla! Guru
Joomla! Guru
Posts: 527
Joined: Fri Aug 19, 2005 9:27 am

Re: Curl and allow_url_fopen and joomla updates

Post by alwarren » Mon Feb 04, 2013 6:31 pm

I agree. The whole reason they created allow_url_include was to give us separate control over reading remote content versus including remote content in our scripts. Now, when allow_url_fopen is off, allow_url_include is also off. But, if allow_url_include is off then there's no point in having allow_url_fopen off also IF we have good filtering is in place.

Some servers may have allow_url_fopen off because they've been around for years, went through PHP upgrades, and no one ever turned it on. Or they're just uber paranoid. Either way, I think having allow_url_fopen is perfectly safe IF you have output filtering in place (including output to a db) AND allow_url_include is off.

Splitting remote access into two distinct functions gave us the flexibility of doing things like upgrading Joomla and reading RSS feeds. There's no reason we shouldn't take advantage of it.
Al Warren
This ain't my first rodeo. Red Foreman says it best.
CQDX de WR5AW

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2734
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Curl and allow_url_fopen and joomla updates

Post by PhilD » Wed Feb 20, 2013 1:39 am

cleaned up and corrected some stuff on the page
http://docs.joomla.org/Security_Checkli ... rver_Setup
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

killerkoz
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Mon Aug 08, 2011 4:03 am

Re: Curl and allow_url_fopen and joomla updates

Post by killerkoz » Thu Apr 16, 2015 8:15 am

I realise this topic is a couple of years old but assuming allow_url_fopen ON and allow_url_include OFF is still best practice, in addition to the changes made to the above link, the following links need minor updates as well (both suggest allow_url_fopen OFF is good):

1. https://docs.joomla.org/Security_and_Pe ... ensions.3F (see Bad Practices section)
2. https://docs.joomla.org/Security_and_Pe ... taccess.3F

I'm a beginner who's very thoroughly read the Security Checklist and Security and Performance FAQs and this subject confused me before reading this post.

Cheers, Rob


Locked

Return to “Security in Joomla! 2.5”