[Security] Register_globals, allow_url_fopen off on new servers

**Kayla** · January 10th, 2007, 3:27 PM

New Servers
To ease the problems of php exploits and increase server security, all new servers (beginning with SH109 and Pass69) will have the following functions disabled:

register_globals
allow_url_fopen

When we began to use phpsuexec on our servers, it was like breathing fresh life into our servers again. Now to disable these two functions is really the icing on the cake. Hackers and spammers will now have extremely limited means of accessing outdated programs and the like - but you still should keep all applications updated as usual.

Does the disabling of these functions make your life any easier? Well to be honest with you, it doesn't. To have these functions remain open is easy for programmers but not good at all when security of the server is in mind. And we cannot let scammers have their way with our servers and your websites, don't you agree?

At this time we will prepare a guide on how to mimic these functions if you happen to get a new account.

Older Servers
And of course we would like to do this on all older servers as well, but that would create quite the chaos. Maybe we can on one server at a time over the next two years, at a very slow pace in order to keep up with the support requests, but at this time we will continue to deal with exploits as we get them. The biggest problem right now continues to be the Mambo components exploit, which would not even be possible if register_global/allow_url_fopen functions were already disabled on our servers, which is the very unfortunate part.

Thoughts, comments? Please reply.

Tsikura · January 10th, 2007, 4:44 PM

Thats a great idea considering most software these days are coded without the needed use of register_globals and fopen not commonly used on alot of software. With updated software, phpsuexec/chmod, register_globals off, etc will help slow or even stop the script kiddies (lol

hackers) from causing harm.

Good idea to apply the changes on all the servers and for those that needs those to be enabled to just place an .ini file in those directories.

m0nty · January 10th, 2007, 5:11 PM

any chance you could change this on serva?

i use the php.ini files for php4, but as i now have the need for PHP 5, i can't use the php.ini files because they don't work with php5 on the server due to it not being CGI mode.

can't use php_flag either in .htaccess because that still gives an error 500.. so i'm stuck with a site that i prefer to have globals & fopen disabled, but can't. and i would prefer not to use ini_set() either as that means remembering when the need to update the site comes round, and these days i'm trying very hard to not break into the core of the scripts by hacking them, instead trying to use modules to achieve the task as much as possible.

at least if they were disabled for PHP 5 users

pretty please..

**Kayla** · January 10th, 2007, 5:12 PM

That's odd.

http://serva.surpasshosting.com/~phpinfot/whoami.php5

PHP5 should be running as CGI on this server. This is not right, it's being fixed up now.

(All new servers run PHP4/5 both in CGI mode.)

m0nty · January 10th, 2007, 5:17 PM

as always Kayla, you're quick on the ball

dunno what we'd do without you..

thanks again.

H · January 10th, 2007, 5:20 PM

All I can say is.... about damn time. Can you turn off magic_quotes as well? Encourage the kids to use prepared statements!

**Kayla** · January 10th, 2007, 5:24 PM

http://serva.surpasshosting.com/~phpinfot/phpinfo.php5
Hmm... there it does say CGI.

Actually I think due to cPanel limitations (which is unfortunate) php.ini can't be used with PHP5 on our servers. Only PHP4.

In this case, I think your original request is correct, we could only disable it on the entire server. And as I said before, that would bring about a large mess. Let me think about this.

**Kayla** · January 10th, 2007, 5:25 PM

Quote:

Originally Posted by H

All I can say is.... about damn time. Can you turn off magic_quotes as well? Encourage the kids to use prepared statements!

I don't see why not. Any other suggestions before these servers go up?

m0nty · January 10th, 2007, 5:26 PM

Quote:

Originally Posted by H

All I can say is.... about damn time. Can you turn off magic_quotes as well? Encourage the kids to use prepared statements!

hehe nice idea too

stop as many easily exploitative measures as possible.. lol

January 10th, 2007, 3:27 PM	#1 (permalink)
Kayla Surpass Staff Joined in May 2003 Lives in Orlando 23,929 posts Gave thanks: 904 Thanked 769 times	[Security] Register_globals, allow_url_fopen off on new servers New Servers To ease the problems of php exploits and increase server security, all new servers (beginning with SH109 and Pass69) will have the following functions disabled: register_globals allow_url_fopen When we began to use phpsuexec on our servers, it was like breathing fresh life into our servers again. Now to disable these two functions is really the icing on the cake. Hackers and spammers will now have extremely limited means of accessing outdated programs and the like - but you still should keep all applications updated as usual. Does the disabling of these functions make your life any easier? Well to be honest with you, it doesn't. To have these functions remain open is easy for programmers but not good at all when security of the server is in mind. And we cannot let scammers have their way with our servers and your websites, don't you agree? At this time we will prepare a guide on how to mimic these functions if you happen to get a new account. Older Servers And of course we would like to do this on all older servers as well, but that would create quite the chaos. Maybe we can on one server at a time over the next two years, at a very slow pace in order to keep up with the support requests, but at this time we will continue to deal with exploits as we get them. The biggest problem right now continues to be the Mambo components exploit, which would not even be possible if register_global/allow_url_fopen functions were already disabled on our servers, which is the very unfortunate part. Thoughts, comments? Please reply. __________________ Have you ever want to draw a windmill, and after that animate it? No problem!

January 10th, 2007, 5:11 PM	#3 (permalink)
m0nty Registered User Seasoned Poster Joined in Jun 2005 Lives in Derbyshire/UK Hosted on sh106 90 posts Gave thanks: 1 Thanked 1 Time in 1 Post	any chance you could change this on serva? i use the php.ini files for php4, but as i now have the need for PHP 5, i can't use the php.ini files because they don't work with php5 on the server due to it not being CGI mode. can't use php_flag either in .htaccess because that still gives an error 500.. so i'm stuck with a site that i prefer to have globals & fopen disabled, but can't. and i would prefer not to use ini_set() either as that means remembering when the need to update the site comes round, and these days i'm trying very hard to not break into the core of the scripts by hacking them, instead trying to use modules to achieve the task as much as possible. at least if they were disabled for PHP 5 users pretty please.. __________________ Smartfactory.ca Module Development Team. ImpressCMS.org Impress CMS Project: Making a lasting impression! surpass server: SH106

January 10th, 2007, 5:12 PM	#4 (permalink)
Kayla Surpass Staff Joined in May 2003 Lives in Orlando 23,929 posts Gave thanks: 904 Thanked 769 times	That's odd. http://serva.surpasshosting.com/~phpinfot/whoami.php5 PHP5 should be running as CGI on this server. This is not right, it's being fixed up now. (All new servers run PHP4/5 both in CGI mode.) __________________ Have you ever want to draw a windmill, and after that animate it? No problem!

January 10th, 2007, 5:17 PM	#5 (permalink)
m0nty Registered User Seasoned Poster Joined in Jun 2005 Lives in Derbyshire/UK Hosted on sh106 90 posts Gave thanks: 1 Thanked 1 Time in 1 Post	as always Kayla, you're quick on the ball dunno what we'd do without you.. thanks again. __________________ Smartfactory.ca Module Development Team. ImpressCMS.org Impress CMS Project: Making a lasting impression! surpass server: SH106

January 10th, 2007, 5:24 PM	#7 (permalink)
Kayla Surpass Staff Joined in May 2003 Lives in Orlando 23,929 posts Gave thanks: 904 Thanked 769 times	http://serva.surpasshosting.com/~phpinfot/phpinfo.php5 Hmm... there it does say CGI. Actually I think due to cPanel limitations (which is unfortunate) php.ini can't be used with PHP5 on our servers. Only PHP4. In this case, I think your original request is correct, we could only disable it on the entire server. And as I said before, that would bring about a large mess. Let me think about this. __________________ Have you ever want to draw a windmill, and after that animate it? No problem!

January 10th, 2007, 4:44 PM	#2 (permalink)
Tsikura Registered User Comfy Contributor Joined in Apr 2006 Lives in New York Hosted on VPS-5 170 posts Gave thanks: 8 Thanked 8 times	Thats a great idea considering most software these days are coded without the needed use of register_globals and fopen not commonly used on alot of software. With updated software, phpsuexec/chmod, register_globals off, etc will help slow or even stop the script kiddies (lol hackers) from causing harm. Good idea to apply the changes on all the servers and for those that needs those to be enabled to just place an .ini file in those directories.

January 10th, 2007, 5:20 PM	#6 (permalink)
H after g, before i Super #1 Joined in Jul 2004 Hosted on Gojira 7,870 posts Gave thanks: 44 Thanked 127 times	All I can say is.... about damn time. Can you turn off magic_quotes as well? Encourage the kids to use prepared statements!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search