Elxis CMS Forum
Support => Security => Topic started by: benone on October 09, 2009, 20:58:36
-
Hi people.
This is what I get from updiag central:
PHP register globals is ON
PHP functions system, exec, passthru, shell_exec are enabled
PHP allows openning remote files
I'm on shared hosting. I've tried to solve the problem by placing a custom php.ini file in the home directory, turning off register globals for example.
When I phpinfo I get this:
disable_functions system, exec, passthru, shell_exec, suexec, dbmopen, popen, proc_open, disk_free_space, diskfreespace, set_time_limit, leak
register_globals Off
I've tried to modify .htaccess file but any change I make to it causes internal server error.
Also my swf logo file is not playing! it stands there barely as a pregnant toad.
Some help would be greatly appreciated. Thanks in advance.
Ben.
-
Welcome benone ,
You have to disable also all this functions in your php.ini .
Is not the best idea using the php.ini but it solves some problems .. also put the php.ini at administrator folder.
Check the folders and files permissions must be 755 and 644 all except temp and cache folder.
If you check the forum and elxis wiki you can find all the solutions you may need ..
-
first find out what your server uses..
mod_php or suphp?
-
PHP register globals is ON
PHP functions system, exec, passthru, shell_exec are enabled
PHP allows openning remote files
For me above would be enough indicators to change hosting (if you use shared hosting).
-
am i happy boys! i moved the file into the admin folder and guess everything is fine except for this last warning from updiag central:
Found 1 security alerts and warnings
PHP allows openning remote files
where am i supposed to fix this? pardon my ignorance.
danke.
-
http://wiki.elxis.org/wiki/PHP_settings#mod_PHP
you cant override all settings through htaccess or from a per-dir-ini file :
http://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen
allow_url_fopen must be set in server's default php.ini for php versions later 4.3.4
if you are under suphp you can set it, otherwise you need access to default php.ini
-
This is what I did:
allow_url_fopen = Off
and everything works like a charm!
Your Elxis installation passed successfully basic security check ;D
Sorry for bothering you with other issue, like I said earlier, my swf logo is not playing. i remember it came with a file with this name: AC_RunActiveContent.js
Is it that am supposed to place the above js file in a specific directory to have my logo animation effect. I have read and followed other suggestions in the forum but never heard anyone mention this file. Again my apologies.
-
did you added suPHP_ConfigPath ? in htaccess?
*oftopic
this file is called with a simple call like
<script type="text/javascript" src=".../somepath/AC_RunActiveContent.js"></script>
it is used in order to prevent browsers like ie to ask you to click here in order to view this content.. etc
full documentation
http://www.adobe.com/devnet/activecontent/articles/devletter.html
-
Hi there.
I have taken a day to solve as many security problems as possible. now I can say my website is highly protected. I have studied many possible flaws with attention all thanks to your guide and support. I just want to say a big THANK YOU!!!
benone.