register-globals

Todd1 · June 12, 2012, 2:47pm

I’ve already exhausted my hosting and CMS support avenues so I’m posting here.

I use MacHighway and I’ve successfully installed MODX on the server. The only problem is that MODX requires register-globals be Off which in my case they are not.

First I tried uncommenting this line “#php_flag register_globals Off” in the root MODX .htaccess file (I can post the entire file if that will help). While this does not throw a 500 error I still get the “Configuration Error” about register-globals being On in the Manager.

I then tried disabling the above .htaccess file and instead tried this MacHighway tutorial regarding modifying the php.ini file Modify the php.ini file for your site - Knowledgebase - MacHighway but this method does throw a 500 error.

Either way it fails so I’m unsure as to what to try next. MacHighway claims r_g can be turned Off/On easily at the domain level using the php.ini/.htaccess but I’ll be damned if I can figure it out. Changing hosts is not really an option so if anyone can help me sort this out I would be grateful.

Todd

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · June 12, 2012, 3:19pm

Wow. What version of PHP are they running? RG was flagged as a bad thing back in the '90s, and removed from the defaults in the early 'oughts.

If you have access to your own php.ini file, then change this line:

; Whether or not to register the EGPCS variables as global variables.  You may
; want to turn this off if you don't want to clutter your scripts' global scope
; with user data.  This makes most sense when coupled with track_vars - in which
; case you can access all of the GPC variables through the $HTTP_*_VARS[],
; variables.
; You should do your best to write your scripts so that they do not require
; register_globals to be on;  Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
; http://php.net/register-globals
register_globals = Off

That’s the default setting here on Mac OS X’s built-in PHP.

If you don’t, then use the .htaccess trick. First, you will have to ensure that your Apache config has set

AllowOverrides All

If it has not, then you will need to add this directive inside the Directory block for your particular virtual host in the Apache configuration file.

Then set

php_flag register_globals off

in your .htaccess to turn off register globals.

Walter

On Jun 12, 2012, at 10:47 AM, Todd wrote:

I’ve already exhausted my hosting and CMS support avenues so I’m posting here.

I use MacHighway and I’ve successfully installed MODX on the server. The only problem is that MODX requires register-globals be Off which in my case they are not.

First I tried uncommenting this line “#php_flag register_globals Off” in the root MODX .htaccess file (I can post the entire file if that will help). While this does not throw a 500 error I still get the “Configuration Error” about register-globals being On in the Manager.

I then tried disabling the above .htaccess file and instead tried this MacHighway tutorial regarding modifying the php.ini file Modify the php.ini file for your site - Knowledgebase - MacHighway but this method does throw a 500 error.

Either way it fails so I’m unsure as to what to try next. MacHighway claims r_g can be turned Off/On easily at the domain level using the php.ini/.htaccess but I’ll be damned if I can figure it out. Changing hosts is not really an option so if anyone can help me sort this out I would be grateful.

Todd

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Todd1 · June 12, 2012, 3:22pm

What version of PHP are they running?

v5.2.17

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · June 12, 2012, 3:30pm

5.4.3 is the current stable, 5.2.17 was released in Jan. 2011, at which point 5.3 was the stable branch, and 5.2 was already in late maintenance mode. I hope they have a crack bunch of patchers there, because there aren’t any releases on the 5.2 branch since 2011/1/06!

Walter

On Jun 12, 2012, at 11:22 AM, Todd wrote:

What version of PHP are they running?

v5.2.17

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Todd1 · June 12, 2012, 3:34pm

Is this a problem worthy of moving to a new host?

T.

5.4.3 is the current stable, 5.2.17 was released in Jan. 2011, at which point 5.3 was the stable branch, and 5.2 was already in late maintenance mode. I hope they have a crack bunch of patchers there, because there aren’t any releases on the 5.2 branch since 2011/1/06!

Walter

On Jun 12, 2012, at 11:22 AM, Todd wrote:

What version of PHP are they running?

v5.2.17

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

waltd · June 12, 2012, 3:45pm

Now that I think about it, the whole register globals change happened between version 2 and 3. There was a long time when ISPs were leaving it configured to register globals, simply because this was a breaking change for anyone accustomed to the old way of coding. But it’s long past time for them to have welded that door shut at the master php.ini level, and left it for the individual user to abuse – but then only if they are also suexec(ing) the environment so each user can’t hurt the others.

I don’t know if it’s a complete reason to change, but I would definitely take it up with them in a service ticket and note your disappointment that they are still defaulting to such a dangerous setting. First see if you can get the damned thing turned off, then holler at them.

Walter

On Jun 12, 2012, at 11:34 AM, Todd wrote:

Is this a problem worthy of moving to a new host?

T.

5.4.3 is the current stable, 5.2.17 was released in Jan. 2011, at which point 5.3 was the stable branch, and 5.2 was already in late maintenance mode. I hope they have a crack bunch of patchers there, because there aren’t any releases on the 5.2 branch since 2011/1/06!

Walter

On Jun 12, 2012, at 11:22 AM, Todd wrote:

What version of PHP are they running?

v5.2.17

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Todd1 · June 12, 2012, 3:52pm

I don’t know if it’s a complete reason to change, but I would definitely take it up with them in a service ticket and note your disappointment that they are still defaulting to such a dangerous setting. First see if you can get the damned thing turned off, then holler at them.

I’ll try your suggestion. I’ve already put too much work into transferring the site to MODX so if I can’t disable r_g then moving will be the only other option.

Thanks,

T.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Ernie_Simpson · June 13, 2012, 1:13am

You guys are lucky – I had made considerable investment in Wordpress only
to have it trigger my host provider’s security algorithm, so now it
temporarily locks out my IP every time I make an edit through WP. They are
normally quite capable and helpful, but are stumped as to how to fix it. So
I’m having to re-strategize.

–
Ernie Simpson

On Tue, Jun 12, 2012 at 11:52 AM, Todd email@hidden wrote:

I don’t know if it’s a complete reason to change, but I would definitely
take it up with them in a service ticket and note your disappointment that
they are still defaulting to such a dangerous setting. First see if you can
get the damned thing turned off, then holler at them.

I’ll try your suggestion. I’ve already put too much work into transferring
the site to MODX so if I can’t disable r_g then moving will be the only
other option.

Thanks,

T.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Todd1 · June 13, 2012, 1:53am

That’s interesting because I was reading a comparison between MODX and Wordpress and found mention of a similar problem to yours. No solution offered though.

Todd
http://xiiro.com

On Jun 12, 2012, at 8:13 PM, Ernie Simpson wrote:

You guys are lucky – I had made considerable investment in Wordpress only
to have it trigger my host provider’s security algorithm, so now it
temporarily locks out my IP every time I make an edit through WP. They are
normally quite capable and helpful, but are stumped as to how to fix it. So
I’m having to re-strategize.

On Tue, Jun 12, 2012 at 11:52 AM, Todd email@hidden wrote:

I’ll try your suggestion. I’ve already put too much work into transferring
the site to MODX so if I can’t disable r_g then moving will be the only
other option.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Todd1 · June 16, 2012, 4:14pm

To wrap this up, placing a php.ini file with ‘register_globals=Off’ in the MODX Manager directory was throwing a PDO error (whatever that is).

When I added these 2 lines it worked. No ‘Configuration Error’ in the Manager and no need to mess with htaccess.

register_globals=Off
extension=pdo.so
extension=pdo_mysql.so

I also placed a php.ini in the site root for good measure. What a PITA this has been.

Todd

On Jun 12, 2012, at 10:19 AM, Walter Lee Davis wrote:

If you have access to your own php.ini file, then change this line:
; Whether or not to register the EGPCS variables as global variables.  You may
; want to turn this off if you don't want to clutter your scripts' global scope
; with user data.  This makes most sense when coupled with track_vars - in which
; case you can access all of the GPC variables through the $HTTP_*_VARS[],
; variables.
; You should do your best to write your scripts so that they do not require
; register_globals to be on;  Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
; http://php.net/register-globals
register_globals = Off
That’s the default setting here on Mac OS X’s built-in PHP.

If you don’t, then use the .htaccess trick. First, you will have to ensure that your Apache config has set

AllowOverrides All

If it has not, then you will need to add this directive inside the Directory block for your particular virtual host in the Apache configuration file.

Then set

php_flag register_globals off

in your .htaccess to turn off register globals.

dynamo mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options