secure it with php.ini
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- Pumuckl
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Jul 11, 2006 12:37 pm
secure it with php.ini
Hi,
I don't know, whether you know this, but you can additional secure your Joomla with a php.ini in each directory or you main php.ini if you've an own server:
------------snip------------------
allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
------------snap------------------
Thanks for your attention
I don't know, whether you know this, but you can additional secure your Joomla with a php.ini in each directory or you main php.ini if you've an own server:
------------snip------------------
allow_url_fopen = OFF
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
------------snap------------------
Thanks for your attention
- Vish
- Joomla! Explorer
- Posts: 382
- Joined: Mon Aug 22, 2005 5:43 pm
- Contact:
Re: secure it with php.ini
Can the development confirm this for us?
Will this have any problems that we can foresee?
Why doesn't development include this in the Joomla distribution itself?
Will this have any problems that we can foresee?
Why doesn't development include this in the Joomla distribution itself?
--Vish "Still Learning"
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: secure it with php.ini
You have to have PHP configured to look for these extra php.ini files which most hosts probably don't do. It is not included in the default install because it is not a common solution. Most PHP developers recognize the potential for misuse of register globals and choose not to use them, it is better to have them turned off completely for the whole server and that is what we recommend.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- Pumuckl
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Jul 11, 2006 12:37 pm
Re: secure it with php.ini
But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: secure it with php.ini
PHP will not automatically read the vaules from any file called php.ini. PHP has to be configured in the core php.ini file to scan other directories for more ini files. By default, it only scans the extensions directory for other ini files. Some hosts allow the users to override the configuration of the core php.ini via this method but as far as I am aware it is not a very common practice.Pumuckl wrote: But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- albi
- Joomla! Explorer
- Posts: 273
- Joined: Fri Aug 19, 2005 12:47 pm
- Contact:
Re: secure it with php.ini
I can overide the php.ini file.RobS wrote:PHP will not automatically read the vaules from any file called php.ini. PHP has to be configured in the core php.ini file to scan other directories for more ini files. By default, it only scans the extensions directory for other ini files. Some hosts allow the users to override the configuration of the core php.ini via this method but as far as I am aware it is not a very common practice.Pumuckl wrote: But my Hoster (Schlund) have activated this features and I'm not sure, whether 1and1 this have activated, too.
It's not a failure to do this, if you do not know what your hoster is doing, it's better ti insert your own php.ini-file.
Right?
Is this a solution that i can use for a more secure Joomla?
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: secure it with php.ini
If your host has register globals on I would suggest disabling it if you can by a php.ini override. I don't know other than that, I don't mess with the settings of PHP very often to be familiar with more secure/less secure options (aside from register globals, obviously).
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- Pumuckl
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Jul 11, 2006 12:37 pm
Re: secure it with php.ini
Yes, this will secure your joomla!I can overide the php.ini file.
Is this a solution that i can use for a more secure Joomla?
But check out, whether all function of 3rd party addons or components will work after this.
You have to insert the php.ini file in each directory, it does not work recursive!
And you didn't need to use the parameter "phpinfo", only if you don't want to show the user your php-configurations.
I've used it and I see, that joomla works still fine after I inserted the php.ini.
Try it!
if you're able to override the global php.ini, please add "php_value register_globals off", too
php.ini:
-------------snip-------------
allow_url_fopen = OFF
php_value register_globals off
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
-------------snap-------------
Last edited by Pumuckl on Wed Jul 12, 2006 7:25 am, edited 1 time in total.
- albi
- Joomla! Explorer
- Posts: 273
- Joined: Fri Aug 19, 2005 12:47 pm
- Contact:
Re: secure it with php.ini
Do i need to include php.ini also on images folder???
Demetris Dimarelis
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
http://www.e-orama.com, Web Services & Internet Marketing in Greece & Albania
- Pumuckl
- Joomla! Apprentice
- Posts: 6
- Joined: Tue Jul 11, 2006 12:37 pm
Re: secure it with php.ini
No, because there are no php-filesalbi wrote: Do i need to include php.ini also on images folder???
-
- Joomla! Enthusiast
- Posts: 136
- Joined: Sun Sep 11, 2005 7:46 pm
- Location: san francisco, ca usa
Re: secure it with php.ini
I have joomla sites hosted at site5, which runs PHP in cgi mode, supposedly for security.
The default php.ini for the server runs with register_globas=off
To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!
A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script
http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete
I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.
So the custom settings would be:
; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0
And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script. (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)
The default php.ini for the server runs with register_globas=off
To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!
A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script
http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete
I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.
So the custom settings would be:
; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0
And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script. (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)
Last edited by emagin on Thu Jul 13, 2006 6:26 pm, edited 1 time in total.
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: secure it with php.ini
emagin,
thank you very much for links to those scripts. they were very helpful!
thank you very much for links to those scripts. they were very helpful!
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick
-
- Joomla! Apprentice
- Posts: 7
- Joined: Sun Oct 23, 2005 6:29 pm
Re: secure it with php.ini
If I use shared hosting how do I get to my servers php.ini file?emagin wrote: I have joomla sites hosted at site5, which runs PHP in cgi mode, supposedly for security.
The default php.ini for the server runs with register_globas=off
To secure your apps, this means that you have to have a php.ini file inside of every directory of your application. This is a major pain, but there is a great solution!
A guy there came up with two great scripts that let you take care of the issue:
1) copy your server's default php.ini - if you don't do this you will cause more damage than doing nothing
2) add the custom features you need in this php.ini
3) copy it across your site with script
http://tips-scripts.com/?tip=php_ini
http://tips-scripts.com/?tip=php_ini_copy
http://tips-scripts.com/?tip=php_ini_delete
I did this after a dotproject app was hacked, and realized how register_globals = ON is dangerous, so i went through all apps to do this. Now I do this as a rule for every app.
So the custom settings would be:
; USER MODIFIED PARAMETERS FOLLOW
register_globals = Off
session.use_trans_sid = 0
And make sure you save CHMOD the php.ini to 0600 before you copy it across the site with the script. (I use winscp to edit the file directly from my desktop, or from putty, not sure if 0600 is too restrictive if you use other methods)
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: secure it with php.ini
create a new php file with teh contents:
its results will give you the location.
its results will give you the location.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick
-
- Joomla! Enthusiast
- Posts: 136
- Joined: Sun Sep 11, 2005 7:46 pm
- Location: san francisco, ca usa
Re: secure it with php.ini
The second link listed explains how to copy your ini file.
-
- Joomla! Enthusiast
- Posts: 136
- Joined: Sun Sep 11, 2005 7:46 pm
- Location: san francisco, ca usa
Re: secure it with php.ini
Also, don't forget to run your copy php.ini script after each component install in Joomla.
There are several components which write data in directories. If there is an exploit of that component (like a forum component, etc.) and you don't run the copy php.ini script to refill those new directories, you could be exposed.
There are several components which write data in directories. If there is an exploit of that component (like a forum component, etc.) and you don't run the copy php.ini script to refill those new directories, you could be exposed.
-
- Joomla! Intern
- Posts: 50
- Joined: Tue Aug 01, 2006 4:28 am
- Contact:
Re: secure it with php.ini
Hey emagin, thanks for the script. I am a little confused on how I run the copy script though?? I uploaded both the copy and default script from the links you gave me. And I named them, php.ini and multiply-php.ini. I typed the latter in my browsers address bar, but it just gave me an option to save the file.emagin wrote: Also, don't forget to run your copy php.ini script after each component install in Joomla.
There are several components which write data in directories. If there is an exploit of that component (like a forum component, etc.) and you don't run the copy php.ini script to refill those new directories, you could be exposed.
Is there some kind of program I need to install or use? Could I PM you my scripts so you could have a look at them?
Thanks, Brandon.
www.hdtvinnovations.com - HDTV Innovations, your ultimate HDTV headquarters.
"I like mornings .. I just wish they were later in the day" - Me.
"'Techmology' what is it all about" - Ali G.
"I like mornings .. I just wish they were later in the day" - Me.
"'Techmology' what is it all about" - Ali G.
- Hal
- Joomla! Apprentice
- Posts: 30
- Joined: Fri Aug 19, 2005 11:24 pm
- Location: Duisburg / Germany
- Contact:
Re: secure it with php.ini
Code: Select all
disable_functions = show_source,exec,shell_exec,wget,proc,passthru,system,popen,proc_open,escapeshellcmd,escapeshellarg
-
- Joomla! Intern
- Posts: 63
- Joined: Fri Sep 02, 2005 9:24 pm
Re: secure it with php.ini
Hello all
i would like your following ini code "translated" into the .htaccess file.
Do you know the equivalence ?
i would like your following ini code "translated" into the .htaccess file.
Do you know the equivalence ?
Code: Select all
register_globals = 0
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
allow_url_fopen = 0
magic_gpc_quotes = 0
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: secure it with php.ini
I can't agree with magic_gpc_quotes = 0 being more secure than magic_gpc_quotes = 1...silexian wrote: Hello all
i would like your following ini code "translated" into the .htaccess file.
Do you know the equivalence ?
Code: Select all
register_globals = 0 disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open allow_url_fopen = 0 magic_gpc_quotes = 0
For added security you really should have magic_gpc_quotes = 1
This avoids most sql injection attacks for poor code (or stupidly fergotten escapings) and all joomla and most extensions know how to handle it correctly.
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- wshealy
- Joomla! Apprentice
- Posts: 46
- Joined: Thu Jan 19, 2006 4:12 am
Re: secure it with php.ini
Guys
Do you have to mod the copy script? I changed the get php script and it works like a charm but my
copy script says Error - no source php.ini file even with the new php.ini in my joomla directory.
Thanks
W
Do you have to mod the copy script? I changed the get php script and it works like a charm but my
copy script says Error - no source php.ini file even with the new php.ini in my joomla directory.
Thanks
W
W
-
- Joomla! Explorer
- Posts: 354
- Joined: Sat Jun 17, 2006 5:07 pm
Re: secure it with php.ini
ok, I've got the location of php.ini on my server, but how do I read the contents to add it to my new php.ini file, or am I just reading this wrong?
-
- Joomla! Apprentice
- Posts: 33
- Joined: Sat Jul 01, 2006 4:00 pm
Re: secure it with php.ini
I asked my hosting server to turn register globals to off and they gave me this answer:
Is this true? Does it affect all subdirectories under the public_html directory?You can turn register_globals off by writing the following code (line) in an .htaccess file which is under public_html.
--------------------------------------------------------
php_flag register_globals off
--------------------------------------------------------
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: secure it with php.ini
Yes (if their configuration allows it, obviously, it does) and yes it will affect all subdirectories of public_html if placed in the public_html folder. Hint: append it to Joomla's .htaccess file if you are using it, otherwise, create your own.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Apprentice
- Posts: 33
- Joined: Sat Jul 01, 2006 4:00 pm
Re: secure it with php.ini
Cool! This certainly beats using the scripts in this forum to copy a personalized php.ini file in every single directory in my web site.
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: secure it with php.ini
There are ways to set that up properly so you don't have to copy the php.ini to every directory but your hosting company has to have a certain setup. Unfortunately, most are not wise enough to do this. That is why I always suggest people talk to their hosting company before they try one of these overrides as your hosting company might have an easier way to do it but you would never know if you didn't ask them. :P
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Apprentice
- Posts: 33
- Joined: Sat Jul 01, 2006 4:00 pm
Re: secure it with php.ini
Works perfectly! Thanks for your help Rob.
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: secure it with php.ini
This is by far the prefered method (after the one of having the hoster turning it off for you in his site settings), as php.ini which are in all folders are valid at time of installing them.miggalvez wrote: I asked my hosting server to turn register globals to off and they gave me this answer:Is this true? Does it affect all subdirectories under the public_html directory?You can turn register_globals off by writing the following code (line) in an .htaccess file which is under public_html.
--------------------------------------------------------
php_flag register_globals off
--------------------------------------------------------
But imagine in one month from now, you install a new third-party component (with a "register-globals"-dependant vulnerability), and forget about it: that component will not be protected without that php.ini file, and Joomla! will not be able to prevent you, as it can't scan all directories for that !
So if at all possible, avoid that method of php.ini files in your own folders, except as immediate temporary fix.
Prefer:
1) your hoster changing it in his own settings back to this default php value.OFF
2) the .htaccess file method if your hoster allows it
3) consider changing hoster if you can't talk with them about these basic php security settings "1)" or "2)".
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: secure it with php.ini
Actually, that isn't the only decent way. If your host knows what they are doing they can setup Apache/PHP to look for a php file per virtualhost in a specific place. I use this configuration on my own servers and it works very well because it is easier to manage a php.ini file than an .htaccess file in my opinion. The configuration is actually pretty simple but not many hosters implement for some silly reason or another that I would really like to know... anyway, yeah... ask about that option too.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- Beat
- Joomla! Guru
- Posts: 844
- Joined: Thu Aug 18, 2005 8:53 am
- Location: Switzerland
- Contact:
Re: secure it with php.ini
Yeah, i implied that above (as it's hoster's task), but as we also have hosters in this forum this clarifies it...RobS wrote: Actually, that isn't the only decent way. If your host knows what they are doing they can setup Apache/PHP to look for a php file per virtualhost in a specific place. I use this configuration on my own servers and it works very well because it is easier to manage a php.ini file than an .htaccess file in my opinion. The configuration is actually pretty simple but not many hosters implement for some silly reason or another that I would really like to know... anyway, yeah... ask about that option too.
Ok trying to get a full list of prefered options first being best one:
1) hoster sets global default server settings right in php.ini file (usually in /etc/php.ini)
2) hoster sets default server settings correctly for your site (usually a virtualhost on a shared host) at the right place: it can be in php.ini file or in httpd.conf or any file included by httpd.conf, including site-specific http.include files, or in the settings of the host managment software generating those files for him (warning: manual editing of automatically generated files will kill your edits each time they are regenerated e.g. when a domain or subdomain is created/modified, resetting the settings).
3) hoster has set or sets you the rights to add the php configuration statments in your .htaccess file at the root of the http-accessible area of your server (e.g. httpdocs/ or public_html/). This setting is then valid for all folders and subfolders. Note: get in any case the new great security settings of 1.0.11 httpaccess.txt file (thanks Rob for this great contribution) in your .htaccess file .
4) if 1), 2) or 3) are not feasable at your hoster, and you have non-secure settings, talk with your hoster. These are basic security settings of PHP, which are set correctly by default in PHP since more than 2 years. Ask him why he changed them and is making his server less secure.
5) if 4) fails, consider 6) below as temporary safety measure if hoster's configuration take it in account, and plan for a hosting migration.
6) if hoster's configuration take it in account, add php.ini to each public folder (and later to any new created folder) containing php files. Plan for basic php-security knowledgeable hoster.
7) In all cases, rename htaccess.txt into .htaccess if you don't have one, otherwise take the security checks at the end of it and copy them at the end of yours. This is an additional line of defense from known attacks to weak 3pd extensions, most of which register_gloabl would catch. Check it's efficiency by typing "www.yoursite.com/blabla?mosConfig=blabla" : your site should not display same as without the text "www.yoursite.com/blabla?blablabla=blabla"... and plan for a fast hosting migration if 1)-6) could not be implemented
Code: Select all
8)
Reference from PHP manual on a few less common additional possibilities:
http://ch2.php.net/manual/en/configuration.php (includes a link of directives and default settings.
Register globals off by default since php 4.2.0 (that's long time ago), and why:
http://ch2.php.net/register_globals
More reading on magic_quotes:
http://ch2.php.net/manual/en/security.magicquotes.php
Please post corrections, amendments, etc, as replies, and i will try to edit accordingly.
Last edited by Beat on Tue Aug 29, 2006 7:11 pm, edited 1 time in total.
Beat
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team