After uploading the webyep-system folder to my root and access the mywebsite.com is available for purchase - Sedo.com i got the following warning message:
Security Warning
This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!
My question is, how do I turn it off? I tried to add a .htacess like this:
register_globals = off but it didn’t work
and found an online instruction to add a php.ini file with register_globals = off,
but have no idea how to create this php.ini file
Just that in your .htaccess file should do it. It is MUCH better for this to be set at the php.ini file level, though, which your hosting provider can do for you.
Walter
On Nov 5, 2012, at 1:06 PM, Marcus Do Carmo wrote:
Dear All,
After uploading the webyep-system folder to my root and access the mywebsite.com is available for purchase - Sedo.com i got the following warning message:
Security Warning
This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!
My question is, how do I turn it off? I tried to add a .htacess like this:
register_globals = off but it didn’t work
and found an online instruction to add a php.ini file with register_globals = off,
but have no idea how to create this php.ini file
I might be doing something wrong. None of those ideas worked. Put the php_flag register_globals off on the .htaccess gave me an Internal Server Error: “The server encountered an internal error or misconfiguration and was unable to complete your request.Please contact the server administrator, [no address given] and inform them of the time the error occurred, and anything you might have done that may have caused the error.”
I did it but still have the same Security Warning: “This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!”
And you still get the same warning if you place the php.ini in the site root (public_html)?
Do you still have any register_globals settings in the .htaccess file?
Todd
I did it but still have the same Security Warning: “This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!”
If my .htaccess rule didn’t do it, then your server may not be set up to allow .htaccess to modify the PHP environment. t think you may have to go to your hosting provider and ask them to do it.
For anyone who wonders why you’d want to turn this off, long ago (mid to late 90s) PHP used to automagically turn any form request or querystring variable into a global variable, ready to use. This was widely considered to be very convenient, and a very bad idea security-wise, not necessarily in that order. Imagine the following code:
if($admin = true){
//do super-secret stuff here
}
Now imagine if Susie Hacker comes along and asks for your_page.php?admin=true. Guess what happens then, if register_globals is on?
This setting was deprecated (warned that it was a very bad idea) BEFORE the last millennium anniversary, and turned off in the PHP5.0 branch. Your hosting provider has been allowing this dreadful setting to continue for over a decade. This is a very dark mark against them and their notion of security.
Walter
On Nov 5, 2012, at 2:08 PM, Marcus Do Carmo wrote:
I did it but still have the same Security Warning: “This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!”
I went through a similar problem with another CMS, it’s frustrating.
Try this,
First try putting the php.ini file in the webyep-system > program folder and check for the warning. If that doesn’t work then move php.ini to the webyep-system > data folder and recheck.
Not all hosting providers support a local php.ini file. Your host needs to have specifically enabled this option when they built their Apache and mod_php servers. If the .htaccess is not allowed to modify PHP (which is what was signaled when you tried my code and got a 500 error) then it’s doubtful that php.ini would be on the table, either, since that’s a much higher-level set of preferences than .htaccess. It seems likely that if they don’t trust you with .htaccess, they seriously don’t want you to change much of anything.
Walter
On Nov 5, 2012, at 2:23 PM, Todd wrote:
I went through a similar problem with another CMS, it’s frustrating.
Try this,
First try putting the php.ini file in the webyep-system > program folder and check for the warning. If that doesn’t work then move php.ini to the webyep-system > data folder and recheck.
Yes, Walter. Network Solutions ins’t doing a good job lately…
Todd I am not sure I got your instructions well. Sorry.
I put the php.ini in the web yep-system folder and it didn’t work, so should I move it again to web yep-system folder if this is already there
Marcus
On 5 Nov 2012, 6:21 pm, waltd wrote:
Your hosting provider has been allowing this dreadful setting to continue for over a decade. This is a very dark mark against them and their notion of security.
The webyep-system folder should contain a couple other folders: ‘data’ and ‘program’. Move php.ini into each one in turn and see what happens. It’s a longshot but you might as well try.
Todd
I put the php.ini in the web yep-system folder and it didn’t work, so should I move it again to web yep-system folder if this is already there
As I understand it (and I may be wrong) placing the php.ini in the site root (assuming your host allows it) should Just Work™. But as I mentioned earlier I had a similar issue with Perch and MacHighway. It turns out I had to place php.ini in a very specific location in the Perch core directory where the Perch does all of its core processing. Normally this should not be necessary but it was for some reason which I still don’t understand. I do think it was a server quirk but I’m not certain and MH said it was a Perch issue and the Perch devs said it was a server issue. Round and round it went.