htacceass allow_url_fopen and register_globals

JakeSee · May 19th, 2008, 11:45 AM

sorry, but i a not familiar with HTACCESS..

i currently have

AuthType Basic
AuthName "Admin Control"
AuthUserFile "/home/jttechno/.htpasswds/admin/passwd"
require valid-user

I want to add

allow_url_fopen and register_globals

but this doesnt work

AuthType Basic
AuthName "Admin Control"
AuthUserFile "/home/jttechno/.htpasswds/admin/passwd"
require valid-user

php_flag allow_url_fopen on

(i solved the register globals by invoking a function to do foreach $superglobal as $value => $key ....)

Any help please? thanks in advance!

gmax21 · June 27th, 2008, 7:39 PM

Wouldn't using allow_url_fopen cause to much of a security risk?

Why not try curl instead?

gmax21 · June 27th, 2008, 7:40 PM

Sorry the php manual on curl is: PHP: cURL - Manual

**patrickb** · June 27th, 2008, 10:36 PM

Gmax hit it on the money, those two settings are usually always cut off server wide and you will not be able to enable them because they are HUGE security risks. Very easy for someone to do whatever they want on your website if you have them on, mainly allow_url_fopen. I can't stress enough how bad it is to think about cutting those on.

Take a look at the link for cURL that gmax posted. That should do what ya need there.

Also the foreach loop you use to gather the variables is just as dangerous. It is much better to get the specific variables you need in each php script when you need them, rather than take every variable available in the environment at execution. Check out PHP: Using Register Globals - Manual for an explanation of how it can be exploited and why that method you are using now isn't a good idea.

gmax21 · June 27th, 2008, 10:40 PM

Who's giving me some money? ;-) lol

Sorry I totally missed the your loop, why would you want to do such a thing?

It's like using a plastic bag to carry uncovered sharp blades ;-)

May 19th, 2008, 11:45 AM	#1 (permalink)
JakeSee Registered User Comfy Contributor Joined in Jun 2005 Lives in Singapore Hosted on Pass15 120 posts Gave thanks: 2 Thanked 0 times	htacceass allow_url_fopen and register_globals sorry, but i a not familiar with HTACCESS.. i currently have AuthType Basic AuthName "Admin Control" AuthUserFile "/home/jttechno/.htpasswds/admin/passwd" require valid-user I want to add allow_url_fopen and register_globals but this doesnt work AuthType Basic AuthName "Admin Control" AuthUserFile "/home/jttechno/.htpasswds/admin/passwd" require valid-user php_flag allow_url_fopen on (i solved the register globals by invoking a function to do foreach $superglobal as $value => $key ....) Any help please? thanks in advance! __________________ Regards, Jake See Pass15: http://www.vuox.com

June 27th, 2008, 10:36 PM	#4 (permalink)
patrickb the one who was Super #1 Joined in Jul 2003 Lives in Memphis 1,967 posts Gave thanks: 0 Thanked 3 times	Gmax hit it on the money, those two settings are usually always cut off server wide and you will not be able to enable them because they are HUGE security risks. Very easy for someone to do whatever they want on your website if you have them on, mainly allow_url_fopen. I can't stress enough how bad it is to think about cutting those on. Take a look at the link for cURL that gmax posted. That should do what ya need there. Also the foreach loop you use to gather the variables is just as dangerous. It is much better to get the specific variables you need in each php script when you need them, rather than take every variable available in the environment at execution. Check out PHP: Using Register Globals - Manual for an explanation of how it can be exploited and why that method you are using now isn't a good idea. __________________ Patrick Warnings: The program(s) might crash unexpectedly or behave otherwise strangely. (But of course, so do many commercial programs on Windows.) --www.gimp.org

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

June 27th, 2008, 7:39 PM	#2 (permalink)
gmax21 Registered User Seasoned Poster Joined in Jun 2008 Lives in UK 68 posts Gave thanks: 5 Thanked 8 times	Wouldn't using allow_url_fopen cause to much of a security risk? Why not try curl instead?

June 27th, 2008, 7:40 PM	#3 (permalink)
gmax21 Registered User Seasoned Poster Joined in Jun 2008 Lives in UK 68 posts Gave thanks: 5 Thanked 8 times	Sorry the php manual on curl is: PHP: cURL - Manual

June 27th, 2008, 10:40 PM	#5 (permalink)
gmax21 Registered User Seasoned Poster Joined in Jun 2008 Lives in UK 68 posts Gave thanks: 5 Thanked 8 times	Who's giving me some money? ;-) lol Sorry I totally missed the your loop, why would you want to do such a thing? It's like using a plastic bag to carry uncovered sharp blades ;-)

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)