[Security] Register_globals, allow_url_fopen off on new servers - Page 2

m0nty · January 10th, 2007, 5:32 PM

Quote:

Originally Posted by Kayla

I don't see why not. Any other suggestions before these servers go up?

session.use_trans_sid disable too :-)

**Gaia** · January 10th, 2007, 8:47 PM

Glad to see surpass starting to do this, I was a little surprised to see these PHP options turned on. Do you have any future plans to turn these off on older server as well?

H · January 10th, 2007, 10:02 PM

I'm having second thoughts about magic_quotes. It'd be frickin' awesome, but it may result in major SQL injection problems. Not quite second thoughts, but concern...

**Kayla** · January 25th, 2007, 3:20 AM

We have decided to *really* focus on allow_url_fopen and getting it disabled on all servers.

Security risks come up much more often with this feature being on. (Case in point.) We'll get these types of problems settled for good and press on.

SH109 is up with these changes.
Pass69 will be up soon with these same changes.

I'm currently making a schedule for the older servers.

hmphoto · February 22nd, 2007, 5:08 AM

I'm new here and I'm sorry if this has already been addressed - but I can't find it. On PASS69.

Quote:

New Servers
To ease the problems of php exploits and increase server security, all new servers (beginning with SH109 and Pass69) will have the following functions disabled:

register_globals
allow_url_fopen

I'm currently trying to install a test application that requires register_globals to be disabled, according to the abvoe it should be, but when I try to access the application on the test server, it appears not to be.
"Error: register_globals is enabled!"
URL is here:http://www.north-ayrshire.org/store/

Can someone tell me if I can change this by creating a php.ini for this account only?

hmphoto · February 25th, 2007, 5:06 AM

seems to have been sorted now :-)

**panache** · February 26th, 2007, 2:47 PM

All I can say on this is programmers better get up to speed, I programmed a joomla mod with fopen, only to realize how much of a problem I had because some software I bought, used fopen, so I recoded it using cURL instead, which appears to be better... how I dont know but they say it is. either way, I say its time for programmers to program properly and up to speed with what security demands.

MJ

jmueller · July 12th, 2007, 2:20 AM

Kayla & Co.

I have just installed open source ModX on a new BOGO server. It came back with this warning:

"Configuration check

One or more configuration details didn't check out OK:
Configuration warning: 'register_globals is set to ON in your php.ini configuration file'

What does this mean?
This configuration makes your site much more susceptible to Cross Site Scripting (XSS) attacks. You should speak to your host about what you can do to disable this setting. "

What do I need to do to cure this?

**removed** · July 12th, 2007, 2:33 AM

Create a new text file in your public_html directory, name it php.ini, and add this to it:
register_globals = 0

That should fix things.

January 10th, 2007, 8:47 PM	#11 (permalink)
Gaia Holy hell and a hippie On a golden path... Joined in Nov 2006 Lives in Canada Hosted on SH106 392 posts Gave thanks: 23 Thanked 25 times	Glad to see surpass starting to do this, I was a little surprised to see these PHP options turned on. Do you have any future plans to turn these off on older server as well? __________________ \|\|http://eternal-realm.net \|\|http://usebbzone.com --------- Go There: Surpass Wiki ---------- \|\| SH106

January 25th, 2007, 3:20 AM	#13 (permalink)
Kayla Searcher Surpass Staff Joined in May 2003 Lives in Orlando 24,692 posts Gave thanks: 943 Thanked 806 times	We have decided to really focus on allow_url_fopen and getting it disabled on all servers. Security risks come up much more often with this feature being on. (Case in point.) We'll get these types of problems settled for good and press on. SH109 is up with these changes. Pass69 will be up soon with these same changes. I'm currently making a schedule for the older servers. __________________ Follow Surpass on Twitter and Facebook Check out interesting finds on the Surpass Blog .... it's coming.

February 25th, 2007, 5:06 AM	#15 (permalink)
hmphoto Registered User Seasoned Poster Joined in Feb 2007 Lives in Scotland Hosted on Pass 69 39 posts Gave thanks: 2 Thanked 2 times	seems to have been sorted now :-) __________________ scottish-domain.com::Pass69

February 26th, 2007, 2:47 PM	#16 (permalink)
panache Surpass Fan Excelling Contributor Joined in Dec 2005 Lives in my computer Hosted on pass86'd 653 posts Gave thanks: 55 Thanked 14 times	All I can say on this is programmers better get up to speed, I programmed a joomla mod with fopen, only to realize how much of a problem I had because some software I bought, used fopen, so I recoded it using cURL instead, which appears to be better... how I dont know but they say it is. either way, I say its time for programmers to program properly and up to speed with what security demands. MJ __________________

July 12th, 2007, 2:20 AM	#17 (permalink)
jmueller Registered User Seasoned Poster Joined in Sep 2005 Lives in Texas Hosted on Pass43;SH108 36 posts Gave thanks: 3 Thanked 0 times	Kayla & Co. I have just installed open source ModX on a new BOGO server. It came back with this warning: "Configuration check One or more configuration details didn't check out OK: Configuration warning: 'register_globals is set to ON in your php.ini configuration file' What does this mean? This configuration makes your site much more susceptible to Cross Site Scripting (XSS) attacks. You should speak to your host about what you can do to disable this setting. " What do I need to do to cure this? __________________ Women and cats will do as they please; men and dogs should just relax and get used to the idea. ~~ Anonymous Surpass Server Info: 72-29-83-77 .dimenoc.com [Pass43] Surpass Server Info: 66-7-201-40 .dimenoc.com [SH108] Visit me on the web at: http://pixelita.com http://jonimueller.com Visit the World's Largest and Best Serbian Internet Forum: http://www.burek.co.yu

January 10th, 2007, 10:02 PM	#12 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,055 posts Gave thanks: 48 Thanked 129 times	I'm having second thoughts about magic_quotes. It'd be frickin' awesome, but it may result in major SQL injection problems. Not quite second thoughts, but concern...

July 12th, 2007, 2:33 AM	#18 (permalink)
removed Surpass Abuse Admin Super #1 Joined in Mar 2005 Lives in Houston, TX Hosted on NONE 7,784 posts Gave thanks: 10 Thanked 276 times	Create a new text file in your public_html directory, name it php.ini, and add this to it: register_globals = 0 That should fix things. __________________ Unofficial IRC Channel: #surpass EFNet Unofficial = No official support. Support requests can be submitted to our helpdesk.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search