switch off the PHP setting "register_globals"!

Dear All,

After uploading the webyep-system folder to my root and access the
Easy Website Builder | Web Hosting Included | Ownwebsite.com i got the following warning message:
Security Warning
This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!
My question is, how do I turn it off? I tried to add a .htacess like this:
register_globals = off but it didn’t work

and found an online instruction to add a php.ini file with register_globals = off,
but have no idea how to create this php.ini file

Please, any help

thanks!

Marcus


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

php_flag register_globals off

Just that in your .htaccess file should do it. It is MUCH better for this to be set at the php.ini file level, though, which your hosting provider can do for you.

Walter

On Nov 5, 2012, at 1:06 PM, Marcus Do Carmo wrote:

Dear All,

After uploading the webyep-system folder to my root and access the
Easy Website Builder | Web Hosting Included | Ownwebsite.com i got the following warning message:
Security Warning
This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!
My question is, how do I turn it off? I tried to add a .htacess like this:
register_globals = off but it didn’t work

and found an online instruction to add a php.ini file with register_globals = off,
but have no idea how to create this php.ini file

Please, any help

thanks!

Marcus


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Assuming your host allows you to disable it manually, then use a proper text editor and create a new file

php.ini

then add

register_globals=Off

Save it in the site root. Then view your php configuration by creating a new file

phpinfo.php

and add

<?php
phpinfo();
?>

and save it to the site root.

If you’ve been successful register_globals should show as “off” when you view the phpinfo.php file in a browser.

Todd
http://xiiro.com


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I might be doing something wrong. None of those ideas worked. Put the php_flag register_globals off on the .htaccess gave me an Internal Server Error: “The server encountered an internal error or misconfiguration and was unable to complete your request.Please contact the server administrator, [no address given] and inform them of the time the error occurred, and anything you might have done that may have caused the error.”

and the other options that Todd gave me I am not sure I did it correctly. When I access my http://www.plusartgraphics.com/webyep-system/info.php still gives me the same warning. I can access http://www.plusartgraphics.com/phpinfo.php and it takes me to another menu but WebYep still wrong…

Thanks
Marcus


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Try moving the php.ini and phpinfo.php files into the WebYep system folder and see what happens.

Todd


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I did it but still have the same Security Warning: “This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!”


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

And you still get the same warning if you place the php.ini in the site root (public_html)?

Do you still have any register_globals settings in the .htaccess file?

Todd

I did it but still have the same Security Warning: “This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!”


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

If my .htaccess rule didn’t do it, then your server may not be set up to allow .htaccess to modify the PHP environment. t think you may have to go to your hosting provider and ask them to do it.

For anyone who wonders why you’d want to turn this off, long ago (mid to late 90s) PHP used to automagically turn any form request or querystring variable into a global variable, ready to use. This was widely considered to be very convenient, and a very bad idea security-wise, not necessarily in that order. Imagine the following code:

if($admin = true){
	//do super-secret stuff here
}

Now imagine if Susie Hacker comes along and asks for your_page.php?admin=true. Guess what happens then, if register_globals is on?

This setting was deprecated (warned that it was a very bad idea) BEFORE the last millennium anniversary, and turned off in the PHP5.0 branch. Your hosting provider has been allowing this dreadful setting to continue for over a decade. This is a very dark mark against them and their notion of security.

Walter

On Nov 5, 2012, at 2:08 PM, Marcus Do Carmo wrote:

I did it but still have the same Security Warning: “This web server has a weak security configuration. Please ask the administrator to switch off the PHP setting “register_globals”!”


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I went through a similar problem with another CMS, it’s frustrating.

Try this,

First try putting the php.ini file in the webyep-system > program folder and check for the warning. If that doesn’t work then move php.ini to the webyep-system > data folder and recheck.

Todd


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Not all hosting providers support a local php.ini file. Your host needs to have specifically enabled this option when they built their Apache and mod_php servers. If the .htaccess is not allowed to modify PHP (which is what was signaled when you tried my code and got a 500 error) then it’s doubtful that php.ini would be on the table, either, since that’s a much higher-level set of preferences than .htaccess. It seems likely that if they don’t trust you with .htaccess, they seriously don’t want you to change much of anything.

Walter

On Nov 5, 2012, at 2:23 PM, Todd wrote:

I went through a similar problem with another CMS, it’s frustrating.

Try this,

First try putting the php.ini file in the webyep-system > program folder and check for the warning. If that doesn’t work then move php.ini to the webyep-system > data folder and recheck.

Todd


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Yes, Walter. Network Solutions ins’t doing a good job lately…

Todd I am not sure I got your instructions well. Sorry.
I put the php.ini in the web yep-system folder and it didn’t work, so should I move it again to web yep-system folder if this is already there

Marcus

On 5 Nov 2012, 6:21 pm, waltd wrote:

Your hosting provider has been allowing this dreadful setting to continue for over a decade. This is a very dark mark against them and their notion of security.

Walter


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

I have used the .htacess for redirect the page and stuff like that and it worked but with the php…no


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Not all hosting providers support a local php.ini file.

Exactly. I mentioned that possibility earlier but it does seem kind of odd they wouldn’t. Or maybe it’s not odd.

I had a client on Network Solutions and there were always problems. He moved and is much happier.


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

The webyep-system folder should contain a couple other folders: ‘data’ and ‘program’. Move php.ini into each one in turn and see what happens. It’s a longshot but you might as well try.

Todd

I put the php.ini in the web yep-system folder and it didn’t work, so should I move it again to web yep-system folder if this is already there


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

Got it. I’ll try all of these options and if its not successful I will call Network and see what they do.

Thank you all!
Marcus


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

As I understand it (and I may be wrong) placing the php.ini in the site root (assuming your host allows it) should Just Work™. But as I mentioned earlier I had a similar issue with Perch and MacHighway. It turns out I had to place php.ini in a very specific location in the Perch core directory where the Perch does all of its core processing. Normally this should not be necessary but it was for some reason which I still don’t understand. I do think it was a server quirk but I’m not certain and MH said it was a Perch issue and the Perch devs said it was a server issue. Round and round it went.

Marcus, your problem sounds very similar.

Todd
http://xiiro.com


freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options