Discussion for: Security Messages in Joomla! 1.0.11

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3783
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Discussion for: Security Messages in Joomla! 1.0.11

Post by Hackwar » Sat Sep 09, 2006 7:41 pm

This is the discussion thread about this topic: Security Messages in Joomla 1.0.11
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

tingtong
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 157
Joined: Wed Aug 02, 2006 11:23 am

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by tingtong » Sun Sep 10, 2006 8:47 am

My Joomla Administrator site still showing PHP register_globals setting is `ON` instead of `OFF`

I follow the instruction to add below two code to my .htaccess and I totally not able to view my Joomla site.

The failure notice is:-

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.


The code I added to .htaccess are:-

php_admin_flag register_globals off
php_admin_flag magic_quotes_gpc on

I removed this two lines and is back to normal. I have been trying php.ini and still not working. I spent about 2 days to get this thing fix but still the same.

Anybody can help me? I am newbie and not really know how to do this, have been using Joomla for 2 months.
Last edited by tingtong on Sun Sep 10, 2006 12:04 pm, edited 1 time in total.

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by eyezberg » Sun Sep 10, 2006 11:35 am

Thank you for posting this, I think this info is so usefull, especially the "what does it do" part, that I'm going to translate now & post on the french forums -with your Ok, hoping it's not (c)  hackwar or joomla.org?!
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3783
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by Hackwar » Sun Sep 10, 2006 12:02 pm

Eyezberg, feel free to do so. :)

@tingtong
Its possible that your provider has configured your server in a way that these fixes wont work. In that case you have to ask your provider to switch it off for you.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

tingtong
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 157
Joined: Wed Aug 02, 2006 11:23 am

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by tingtong » Sun Sep 10, 2006 12:08 pm

Hackwar wrote: Eyezberg, feel free to do so. :)

@tingtong
Its possible that your provider has configured your server in a way that these fixes wont work. In that case you have to ask your provider to switch it off for you.
Ok, thanks. If I swith it off, will that be possible some extension need it to be "ON" in order to function?

If my hosting provider had swicth it off, is that I no need to add the php.ini or .htaccess code anymore?

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3783
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by Hackwar » Sun Sep 10, 2006 12:25 pm

tingtong wrote: Ok, thanks. If I swith it off, will that be possible some extension need it to be "ON" in order to function?

If my hosting provider had swicth it off, is that I no need to add the php.ini or .htaccess code anymore?
Yes, it can be possible that some of your extensions wont work, please look in the posting, I've added a link to a thread about extensions that wont work with register_globals and rg_emulation off.
When your provider does this for you, you don't need .htaccess and/or php.ini any more, yes.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by eyezberg » Sun Sep 10, 2006 1:11 pm

Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3783
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by Hackwar » Sun Sep 10, 2006 1:30 pm

Reads itself very nicely. :)
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

User avatar
eyezberg
Joomla! Hero
Joomla! Hero
Posts: 2860
Joined: Thu Aug 25, 2005 5:48 pm
Location: Geneva mostly
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by eyezberg » Mon Sep 11, 2006 7:38 am

Hannes,
following the publication of that translation, one user pointed out that in an .htaccess file, php_admin_flag and php_admin_value do not work!
These are to be used only server-side to change values which can be accessed only by the admin, so that you can change these later on a site by site basis with .htaccess.

It should instead be php_flag and php_value only.
Reference: http://www.php.net/manual/de/configuration.changes.php

Can you confirm this?
Last edited by eyezberg on Mon Sep 11, 2006 7:40 am, edited 1 time in total.
Sometimes one pays most for the things one gets for nothing.
The important thing is not to stop questioning. Curiosity has its own reason for existing. AE
http://joomla15.[URL banned].com for J! 1.5 screenshots
http://www.eyezberg.com

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3783
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by Hackwar » Mon Sep 11, 2006 11:54 am

Sorry, this is an error on my side. I will correct that asap.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

supern00b
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Aug 31, 2005 8:37 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by supern00b » Thu Sep 14, 2006 11:51 pm

In the situation where the server settings can not be changed and the site can not be moved at this point, how can we turn off these warnings?

Simply telling someone to move servers because the one they are on is "crap" isn't too helpful.  :-(

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by RobS » Fri Sep 15, 2006 12:03 am

supern00b wrote: In the situation where the server settings can not be changed and the site can not be moved at this point, how can we turn off these warnings?
Courtesy of Rey:

Go to: Modules -> Administrator Modules -> Quick Icons -> Security Check = Hide
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

supern00b
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Wed Aug 31, 2005 8:37 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by supern00b » Fri Sep 15, 2006 1:32 am

Nice, thanks.

Just spent 20 minutes tracking it down and changing '1' to '0', though.  LOL.

Much appreciated, sir.

kmekc
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Fri Sep 01, 2006 8:04 am
Location: Berlin

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by kmekc » Fri Sep 15, 2006 9:58 am

A real nice security option would be a module that checks if there is an "defined(...) or die(...)" at the beginning of an component file. Maybe the check comes with installation of an component. So an admin who has not much experience has the ability to see if an component maybe is a security risk.

cheep-cheep
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sat Dec 17, 2005 8:19 am
Location: Canada
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by cheep-cheep » Mon Sep 18, 2006 7:28 am

Okay, so far I've tried everything with my php.ini file and .htacess file.

Code: Select all

php_flag register_globals off
php_flag magic_quotes_gpc on
have been added to my .htacess file and saved

Code: Select all

register_globals = off
allow_url_fopen = off
magic_quotes_gpc = on
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Have been added to my php.ini and saved. I've also made the changes to globals.php that were written in the security messages topic.

Still I keep getting the same Register Globals is set to on instead of off warning. I know that it's set to off. So is there anything I could've missed that for some reason keeps register globals (or makes joomla think) that register globals is on?
Last edited by cheep-cheep on Mon Sep 18, 2006 7:31 am, edited 1 time in total.

kmekc
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Fri Sep 01, 2006 8:04 am
Location: Berlin

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by kmekc » Mon Sep 18, 2006 11:13 am

Maybe you just check in the administrator following point:

System -> System Info

there you switch to "PHP Info". There you will find the directives used by your domain. If you use virtual hosts you will see a Local Value and a Master Value.

Now search for the entry Register Globals and the Local Value of this entry. If this one is set to off, it is really set off.

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3783
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by Hackwar » Mon Sep 18, 2006 3:55 pm

Sometimes the provider has locked down the function that you would need to change those values with .htaccess or php.ini files in the directories.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.

cheep-cheep
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sat Dec 17, 2005 8:19 am
Location: Canada
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by cheep-cheep » Tue Sep 19, 2006 1:58 am

Hmm, was able to fix it now.

kmekc, I did what you said and was able to find an entry for register globals that was set to on. I searched around my webhost's forum and found a topic related to register_globals and joomla.

Along with having register_globals set to off in the php.ini file, (which was already done). I was also told to put this code in my .htaccess file

Code: Select all

suPHP_ConfigPath /home/your_user_name/public_html
<Files php.ini>
order allow,deny
deny from all
</Files>
Then, to put this code at the top of the exploitable file in question at the top right after the opening php tag

Code: Select all

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.');
That seemed to do it. So, just throwing this out there in case anyone was having the same problems I was. Thanks!

DeSenaViegas
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Sep 22, 2006 12:55 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by DeSenaViegas » Sun Sep 24, 2006 2:54 pm

And now I would like to ask you:

Is the file .htaccess the same as the htaccess.txt in the Joomla root folder on my Provider?
The same with php.ini: If I create my own php.ini and install it in the above mentioned folder, will I get finally the solution for:

PHP register_globals setting is `ON` instead of `OFF` ???

Thankx!

Alex

locutus
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 111
Joined: Thu Aug 18, 2005 6:43 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by locutus » Mon Sep 25, 2006 7:39 am

Note: some (most) hosts require to have php.ini in every (sub) directory.

DeSenaViegas
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Sep 22, 2006 12:55 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by DeSenaViegas » Mon Sep 25, 2006 7:44 am

Do you mean, if I create and save a document php.ini, containing only the two lines (or four):

register_globals = off
magic_quotes_gpc = on

and then install it in each folder and subfolder it will works?

Well, yesterday I tried only each folder, and I tought that would be enough...however, I'm going to try that!

Thank!  8)

DeSenaViegas
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Sep 22, 2006 12:55 pm

No way

Post by DeSenaViegas » Mon Sep 25, 2006 9:17 am

I still getting the GLOBAL_REGISTERS ON

I tried to install the php.ini in each single folder and subfolder, but it doesn't work.

I will wait for some know-how...or inspiration!  8)

Thankx!

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11765
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by brian » Mon Sep 25, 2006 10:29 am

you need to  check that your host actually allow overide of php.ini, many do not.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

DeSenaViegas
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Sep 22, 2006 12:55 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by DeSenaViegas » Mon Sep 25, 2006 10:37 am

I wonder if I'll ever be able to correctly install Joomla... :-\

Until now, I just know that the main problem of the installation relates to

.htaccess and php.ini

I wonder also if the morphology of my .htaccess was right. I got a 404 after the installation in the Joomla main folder

Regards!
Last edited by brad on Mon Oct 09, 2006 5:16 am, edited 1 time in total.

briar
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Oct 05, 2006 12:53 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by briar » Thu Oct 05, 2006 2:19 pm

Hi

As a recent convert to Joomla and as someone who will be developing several sites using this excellent package, I too became a little concerned with the warning in the admin section advising PHP register_globals setting is `ON` instead of `OFF`

Having read through the comments and guidance in this forum and not wishing to get deeply involved in copying files and adding bits and pieces here and there I took the advice and approached my host about turning this setting to 'off' first.

The response was very interesting and by following the simple advice given, I have been able to resolve this security weakness by adding a single line of instruction to the sites (latest  Joomla version) .htaccess file

I additionally modified the global.php to 'off' to complete the exercise.

The code I have added to the .htaccess file is as follows

AddType x-mapp-php5 .php

This obviously only applies to a host that is providing php 5 within their service, however many now offer both php 4 and 5.

given that the code in joomla is written with the .php extension and it appears that php 5 needs this to be .php5

Whilst the change to Joomla's core is perhaps a major undertaking, is possible to make this compatible with the needs of php 5 as this seemingly set up with register_globals 'off' by default. Maybe this line of code could be added as standard to the base htaccess.txt file in the shorterm and perhaps a version of Joomla be dedicated to use with PHP5?

As has been suggested in many of the moderator's replies if the host doesn't offer support then perhaps a change of host is a wise step.

For reference my host is 1&1

I now have a admin screen without those worrying red characters at the bottom telling me to take action on security!

I hope this adds something to the debate about security against site hacks.

One question that this raises is, how doe's this affect third party extensions and templates?

My Joomlashack templates have not been affected but are the other items at risk, I wonder?

David

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by RobS » Thu Oct 05, 2006 8:27 pm

briar wrote: given that the code in joomla is written with the .php extension and it appears that php 5 needs this to be .php5
PHP 5 does not need files to be named .php5.  This is just a convention that your hosting provider has taken on.  In reality, PHP doesn't care what the files are named as long as you configure it to parse them you can name your files .foobar if you wanted to.
briar wrote: Whilst the change to Joomla's core is perhaps a major undertaking, is possible to make this compatible with the needs of php 5 as this seemingly set up with register_globals 'off' by default. Maybe this line of code could be added as standard to the base htaccess.txt file in the shorterm and perhaps a version of Joomla be dedicated to use with PHP5?
See above note, this is not a standard, just a convention that your host uses.  Hence, there is no reason to change the core or make a separate version.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

briar
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Oct 05, 2006 12:53 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by briar » Fri Oct 06, 2006 7:59 am

Thanks for your reply Rob

Not being someone who would usually delve deeper than necessary into such issue's. I am I guess like many who visit the forum, a software user rather than a developer. In this case we have to resolve such issues when they appear and as this is problem that needs to be resolved to make any Joomla based site secure we need support from you guys.

I rather naively assumed the need for the added character on the extension in PHP5, so your point has straightened me out on that so my question about modifying the core is also resolved and therefore withdrawn.

I suppose I should have thought harder before asking, given the way Joomla is crafted, my apologies.

Having sought you support through the previous posts and followed this through with the host and been given a very simple way to resolve my problem, my question is now:

(1) Will this work in a generic way if added to the sites .htaccess file and used on any host server or will it be host specific?

(2) Will such an addition in this way affect Joomla if there is no PHP5 on the server?

(3) Will it affect the performance of third party extensions in either case above?

Given that it was a very simple way to resolve my issue with the problem I posted the information for discussion as it saved a heck of a lot of work and worry compared to some of the options discussed. If there is a positive to all of the questions above it may help others who don't have the skills or wish to delve deeper than changing '1' to '0' or adding a line of code, as the risk of breaking the site is always in the back of their minds.

I suspect many have to ignore the warnings for fear of the work and risk involved in overcoming it and put their site on line with a security weakness, or do not use such a superb CMS system because of the perceived difficulty of securing it.

I wonder how many basic users do not even modify the htaccess.txt by renaming it once uploaded, in which case this would not work anyway, therein lies another issue to be resolved perhaps?

I can only hope that my experience is of use in providing an another possible answer to resolving this security issue, particularly if there is a positive answer to the three questions above.

If nothing more, it will answer the question for the users who use the same host as myself and underline the benefits of asking the Host before jumping in deep too quickly.

Look forward to your reply and continued support of a great bit of software.

Regards

David

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by RobS » Fri Oct 06, 2006 8:17 am

briar wrote: Thanks for your reply Rob

Not being someone who would usually delve deeper than necessary into such issue's. I am I guess like many who visit the forum, a software user rather than a developer. In this case we have to resolve such issues when they appear and as this is problem that needs to be resolved to make any Joomla based site secure we need support from you guys.

I rather naively assumed the need for the added character on the extension in PHP5, so your point has straightened me out on that so my question about modifying the core is also resolved and therefore withdrawn.

I suppose I should have thought harder before asking, given the way Joomla is crafted, my apologies.

Having sought you support through the previous posts and followed this through with the host and been given a very simple way to resolve my problem, my question is now:

(1) Will this work in a generic way if added to the sites .htaccess file and used on any host server or will it be host specific?

(2) Will such an addition in this way affect Joomla if there is no PHP5 on the server?

(3) Will it affect the performance of third party extensions in either case above?

Given that it was a very simple way to resolve my issue with the problem I posted the information for discussion as it saved a heck of a lot of work and worry compared to some of the options discussed. If there is a positive to all of the questions above it may help others who don't have the skills or wish to delve deeper than changing '1' to '0' or adding a line of code, as the risk of breaking the site is always in the back of their minds.

I suspect many have to ignore the warnings for fear of the work and risk involved in overcoming it and put their site on line with a security weakness, or do not use such a superb CMS system because of the perceived difficulty of securing it.

I wonder how many basic users do not even modify the htaccess.txt by renaming it once uploaded, in which case this would not work anyway, therein lies another issue to be resolved perhaps?

I can only hope that my experience is of use in providing an another possible answer to resolving this security issue, particularly if there is a positive answer to the three questions above.

If nothing more, it will answer the question for the users who use the same host as myself and underline the benefits of asking the Host before jumping in deep too quickly.

Look forward to your reply and continued support of a great bit of software.

Regards

David
David,

No need to apologize :)

As for your 3 questions, I will answer them as best I can but to be honest, I am not sure I understand what you are asking with the second question.

1.  No, this is host specific.  There are many ways that a web server can be configured, this is just one of the many.  There are some other more general configuration options that you can use and are documented in other threads on this forum, so I will not repeat them here, but again, those are dependent on certain configurations and environments. 

2. In general, it won't affect the Joomla! core however it may cause some negative side effects for 3rd party extensions.  There is a thread that is trying to document many of the extensions that are affected on this forum as well.  Be warned, it is a large, overwhelming thread but Websmurf, the thread starter, is doing a fair job of keeping a summary of the information in the first post.  You can find that thread here: http://forum.joomla.org/index.php/topic ... cseen.html.  Joomla! should work with PHP 4 or PHP 5.  It really doesn't matter much as it has some backwards compatability libraries that "back-port" behavior in newer PHP versions so that they are available on older versions.  Assuming a 3rd party component is written correctly, it should work as well in either situation.

3.  Performance... you won't/shouldn't notice any changes in performance.  There is theoretically performance differences but I think you would have a hard time noticing them.

Well, for a long time, Joomla!'s htaccess file was only used for SEF (search engine friendly) URL implementations.  It wasn't until 1.0.11 that it contained anything directly related to security.  However, you have to be careful when you rename the file if you are not using SEF on your site as it is still on by default in the htaccess.txt file.  There are some other discussion threads that discuss this matter and if you search the forums you will probably be able to find them.  I would offer the link but I don't have it handy, sorry.

I hope that helps, Rob
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

briar
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Thu Oct 05, 2006 12:53 pm

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by briar » Fri Oct 06, 2006 9:20 am

Hi Rob

Thanks for the quick reply.

The second quetion was to understand if the instruction I had added to my .htaccess file would be a problem if there was no PHP5 on the server and if this would create an error breaking Joomla? I ask this in context with the first question as I wondered that if this was not host specific, it could well help Joomla users like myself with limited coding skills to make their site secure.

Regarding the SEF element, I will take a look at the post(s) to understand this better, but in the meantime, the version I am using is the 1.0.11 and if i am not mistaken the use of the .htaccess file is recommended with this version due to the security elements included?


The immediate question is SEF a functional default component in this version, I have assumed it is as everything appears to work fine on the test site?

Regards

David

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Discussion for: Security Messages in Joomla! 1.0.11

Post by RobS » Fri Oct 06, 2006 10:32 am

No, it isn't on by default if I remember correctly.  I don't think it could be as you would get 404 errors until the htaccess.txt was renamed appropriately.  To enable SEF you need to do two things, rename htaccess.txt to .htaccess and enable it in the Global Configuration options.  To disable you disable it in the global config and comment out the related lines in .htaccess.  You should be able to figure out which lines they are (about 5 of them) just be reading the file as it states pretty clearly where they are.  Just put a # sign in front of them like the other comment lines.  If you are unsure, try a search.  I know I have answered this before  8)
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Locked

Return to “Security - 1.0.x”