Surpass Web Hosting Forums - View Single Post - [Security] Register_globals, allow_url_fopen off on new servers

**Kayla** · January 10th, 2007, 3:27 PM

New Servers
To ease the problems of php exploits and increase server security, all new servers (beginning with SH109 and Pass69) will have the following functions disabled:

register_globals
allow_url_fopen

When we began to use phpsuexec on our servers, it was like breathing fresh life into our servers again. Now to disable these two functions is really the icing on the cake. Hackers and spammers will now have extremely limited means of accessing outdated programs and the like - but you still should keep all applications updated as usual.

Does the disabling of these functions make your life any easier? Well to be honest with you, it doesn't. To have these functions remain open is easy for programmers but not good at all when security of the server is in mind. And we cannot let scammers have their way with our servers and your websites, don't you agree?

At this time we will prepare a guide on how to mimic these functions if you happen to get a new account.

Older Servers
And of course we would like to do this on all older servers as well, but that would create quite the chaos. Maybe we can on one server at a time over the next two years, at a very slow pace in order to keep up with the support requests, but at this time we will continue to deal with exploits as we get them. The biggest problem right now continues to be the Mambo components exploit, which would not even be possible if register_global/allow_url_fopen functions were already disabled on our servers, which is the very unfortunate part.

Thoughts, comments? Please reply.

January 10th, 2007, 3:27 PM	#1 (permalink)
Kayla Searcher Surpass Staff Joined in May 2003 Lives in Orlando 24,690 posts Gave thanks: 943 Thanked 806 times	[Security] Register_globals, allow_url_fopen off on new servers New Servers To ease the problems of php exploits and increase server security, all new servers (beginning with SH109 and Pass69) will have the following functions disabled: register_globals allow_url_fopen When we began to use phpsuexec on our servers, it was like breathing fresh life into our servers again. Now to disable these two functions is really the icing on the cake. Hackers and spammers will now have extremely limited means of accessing outdated programs and the like - but you still should keep all applications updated as usual. Does the disabling of these functions make your life any easier? Well to be honest with you, it doesn't. To have these functions remain open is easy for programmers but not good at all when security of the server is in mind. And we cannot let scammers have their way with our servers and your websites, don't you agree? At this time we will prepare a guide on how to mimic these functions if you happen to get a new account. Older Servers And of course we would like to do this on all older servers as well, but that would create quite the chaos. Maybe we can on one server at a time over the next two years, at a very slow pace in order to keep up with the support requests, but at this time we will continue to deal with exploits as we get them. The biggest problem right now continues to be the Mambo components exploit, which would not even be possible if register_global/allow_url_fopen functions were already disabled on our servers, which is the very unfortunate part. Thoughts, comments? Please reply. __________________ Follow Surpass on Twitter and Facebook Check out interesting finds on the Surpass Blog .... it's coming.