[Pro] Register Globals, Have-Host

Hi all

I use the WebYep mini-CMS a lot, and have a multi-site package with Have-Host.

Have-Host’s php implementation has Register Globals on by default, but WebYep requires it to be off. So for years I’ve been adding a single line to the .htaccess files of my sites: ‘php_flag register_globals 0’. I’m by no means conversant in php, but I’ve picked up a few little snippets like this, and this one has always done the trick.

Yesterday morning I noticed that every single one of my sites using WebYep was down - reporting a 500 Internal Server error. Actually Have-Host’s own user-area was also down with the same problem! On checking the logs it quickly became clear that using that php command in the .htaccess file was the culprit.

So, to get the sites up again, I removed the php entry - all good. But of course WebYep now complains of weak security implementation. I tried placing the same command (and variations of it) in a php.ini file, and putting that at the root level of each site, or in /public_html/ etc - the only other way I’ve heard of to override the server php implementation. But whilst it doesn’t cause an error, it doesn’t override the Register Globals state either.

I emailed James at Have-Host yesterday morning, but no reply yet, which is fair enough. Presumably some change in the php configuration took place on Saturday night, and it seems that Register Globals can no longer be locally overridden. But that might be incorrect - perhaps I’m doing something wrong, or missing something obvious.

Anyone have any ideas? I’d be super-grateful to hear them. I’m stumped at the moment.

Best wishes

Robin


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

What probably happened on the server side was that the default Apache
configuration variable AllowOverrides was changed from ‘All’ to
something else. In order to send PHP commands like this through
the .htaccess “channel”, you have to have AllowOverrides set to All.
Register Globals cannot be set in a script, because by the time the
script runs, the damage is already done. You’re going to have to get
HaveHost to fix this for you, either by giving you your own personal
php.ini, where you can set this OFF as it belongs, or by re-allowing
Overrides on your account (which they can do at the Apache
configuration file level.

Walter

On Aug 24, 2009, at 7:14 AM, biggy wrote:

Yesterday morning I noticed that every single one of my sites using
WebYep was down - reporting a 500 Internal Server error. Actually
Have-Host’s own user-area was also down with the same problem! On
checking the logs it quickly became clear that using that php
command in the .htaccess file was the culprit.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Thanks a lot Walter - much appreciated. I guess I sit and wait for contact with HaveHost now, and keep my fingers crossed they’ll be accommodating. I’ve always enjoyed good service in the past, so I’m hopeful.

Cheers

Robin


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Hello All!

As Robin mentioned, we did in deed go through a security update -
there were many many things that had been, over time, set this way and
that - that it was decided that the only way to ensure that we could
properly secure “things” was to reset and go with Globals “Off” and as
Walter quite rightly said, Register Globals should be set to “Off”
which we have done.

Robin > On a side note - I did not receive your email - can you
forward a copy to: havehost at g mail dot com?

I’m not sure why if Register Globals are now set to “Off” that WebYep
would still think they were… I will investigate.

Cheers!
James

On 24-Aug-09, at 9:38 AM, biggy wrote:

Thanks a lot Walter - much appreciated. I guess I sit and wait for
contact with HaveHost now, and keep my fingers crossed they’ll be
accommodating. I’ve always enjoyed good service in the past, so I’m
hopeful.

Cheers

Robin


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Thanks for coming back on this James. Strange, though - I did send an email (several actually!) to exactly that address. I’ll try again today using another account and see if it gets through.

I just logged into cpanel and yes, lo and behold, Register Globals is now off by default. Hooray! But that must have come later as part of the server overhaul, as even cpanel’s php configuration pane was indicating it was on quite far into Sunday, long after I’d remedied the htaccess file problem.

Ah well, we’re up and running again. Cheers - Robin


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Unify has the exact same problem…FYI


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options