Disable Functions In .htaccess
Jun 10, 2009Is it possible to disable mod_security and open_basedir thru .htaccess if both are enabled in server configuration?
View 3 RepliesIs it possible to disable mod_security and open_basedir thru .htaccess if both are enabled in server configuration?
View 3 RepliesDoes the below look good for a private server (linux, cpanel, phpsuexec disabled)?
disable_functions = show_source, system, shell_exec, passthru, phpinfo, popen, proc_open
What about a shared hosting server (linux, cpanel, phpsuexec *enabled*)?
disable_functions = show_source, system, shell_exec, passthru, phpinfo, popen, proc_open
In the php.ini ive disabled several functions for security reasons but i need to enable exec() and shell_exec() for WHMCS Status, but i dont want it enabled for anything or anyone else. I know you can over ride global php.ini but i preferably dont want that on and also i forgot where that option is but i was wondering if there was any work arounds or would i have to enable exec() and shell_exec() globally or enable php.ini override.
View 3 Replies View RelatedWhen dealing with the security of your server you will eventually get to the part were you will want to disable some php functions. The only problem on shared hosting is that you cannot disable exec for a domain and enable that function for an other that needs it because of some lame script. Eventually you will get to the part were you will need to enable exec on the entire server because of one site.
There is a solution to this and it’s called suhosin.
Suhosin has a configuration variable called ”suhosin.executor.func.blacklist” which can be used to disable some php functions. The difference between this variable and disable_functions in php.ini is that it can be set for all the sites and then it can be modified for a domain only (it can be overwritten) so you will be able to disable exec on the entire server and enable that function for a single domain.
I will not write here how to install suhosin.
Also, you only need the extension for this so you do not need to patch php and recompile.
IMPORTANT: I have noticed that the suhosin extension 0.9.20 will not work anymore as there are some problems with it. It’s ok as long as we have 0.9.18. Probably the next version of the extension will be fixed to work ok again so remember to use version 0.9.18 for this until the problem is fixed.
Ok, so to use suhosin as the php function blocker we need to comment out disable_functions in php ini (yes, enable all the functions) and then set in php.ini
suhosin.executor.func.blacklist to something like this:
suhosin.executor.func.blacklist = exec, passthru, shell_exec, system, pcntl_exec, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg
You can add as many functions as you like.
After that, all the functions added in suhosin.executor.func.blacklist will not work anymore in php scripts. If you need to enable a function for a domain, let’s say
exec, you will have to edit apache configuration file and add suhosin.executor.func.blacklist without the exec function:
<VirtualHost 127.0.0.1>
ServerAlias www.test.com
ServerAdmin webmaster@test.com
DocumentRoot /home/test/public_html
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg"
</VirtualHost>
Now exec is disable on the server but it’s enabled on the test domain.
How to disable those functions on VPS with Lxadmin and CentOS 5
show_source, system, shell_exec, passthru, exec,
phpinfo, popen, proc_open, base64_decode, base64_encodem, proc_terminate
I have alot of .swf, .mpeg and other video files. I am afraid that someone is leeching them from me and embedding them on their websites.
I heard I can use .htaccess to specify on what domains the video files can be used. I would like the video files to be viewed on a couple of websites, but nothing else. Is there a way to do it?
Also, can I give a default replace file? For example, if someone is leeching a .swf file from me, they would see a very special .swf that would say "this content is stolen, go to mysite.com to view it" etc?
I am using a flash media player on one of my domains that streams music. The flash player would be like domain.com/music
The mp3 files are located in domain.com/music/mp3
The flash player just reads the title of the song and displays it in the media player.
I have used htaccess already to disable indexing, but the file name that shows on the media player is the exact name of the mp3, so I'm pretty sure people will be able to easily figure this out and start downloading our music.
What else can I add to htaccess to allow localhost access to the music, to stream with the flash player, but wont allow downloading of the mp3s.
about DNS functions. I know what the DNS is, but some part of it I am confused.
Here is situation.
AAA.com - Master
BBB.com - Reseller
Now, BBB's clients point their DNS to ns1.BBB.com, ns2.BBB.com
However, when I check BBB's whois, it shows BBB has ns1.AAA.com, ns2.AAA.com
So, BBB's clients know BBB is reseller. How can I show ns1.BBB.com, ns2.BBB.com?
I believe it's DNS function, right?
so I tried to edit DNS following:
Domain TTL Recordtype
BBB.com 86400 NS ns1.BBB.com (default was ns1.AAA.com)
BBB.com 86400 NS ns1.BBB.com (default was ns2.AAA.com)
Is it correct?
however, I checked BBB's whois, but it's still showing up ns1.AAA.com, ns2.AAA.com
It seems that some tsearch2 functions are inaccessible such as a set of rank() funcs. The default definition for one of the functions is shown in the following snippet of
code:
CREATE OR REPLACE FUNCTION rank(real[], tsvector, tsquery)
RETURNS real AS
'$libdir/tsearch2', 'rank'
LANGUAGE 'c' IMMUTABLE STRICT;
I've tried to execute this script shown above and got the following error:
ERROR: permission denied for language c
rpm -qa | grep postgresql
postgresql-devel-8.3.5-1PGDG.rhel4
postgresql-server-8.3.5-1PGDG.rhel4
postgresql-8.3.5-1PGDG.rhel4
postgresql-libs-8.3.5-1PGDG.rhel4
postgresql-plpython-8.3.5-1PGDG.rhel4
My vps managed service has disabled this functions in php.ini :
Code:
exec, shell_exec, system, passthru,popen, virtual, show_source, pclose
I asked them why these disabled and the answer was "because of security reasons" .
So for example a Joomla installation with working RSS needs some of these functions and when I install vary php programs I face some strnge problems that I think it may be from these disabilities .
So my question is could these functions usually be disabled ? and may I delete them from disable_functions of php.ini
My site is running with php scripts It's work fire at bluehost but get some error when i move to new VPS .
Quote:
Warning: fputs(): supplied argument is not a valid stream resource in /home/xxx/public_html/home/admin/update_categories.php on line 171
Warning: fclose(): supplied argument is not a valid stream resource in /home/xxx/public_html/home/admin/update_categories.php on line 173
Warning: fputs(): supplied argument is not a valid stream resource in /home/xxx/public_html/home/admin/update_categories.php on line 225
Warning: fclose(): supplied argument is not a valid stream resource in /home/xxx/public_html/home/admin/update_categories.php on line 227
I want to enable these functions fopen(),fputs(),fclose(),fputs(),fclose() but i don't know how to enable them .Could you tell me details
Are there companies out there that allow unlimited emailing capabilities on a VPS server? What kind of budget would be best to get this capability? Am I better of going with a dedicated server?
View 1 Replies View Relatedhow to make MySQL functions in PHP in server,bcz when i intall VB in my dedicated server it comeing is there is any option in WHM to chnage these funtion!
View 14 Replies View Relatedi have disbaled many functions in php.ini settings ! for security!
but i need to use some of the functions for my billing System!
how can i enable all the functions just for an account? or a directory!
is it possible to set the disabled functions list for PHP in apache's HTTPD.conf per virtual host? i want a bunch of functions disabled for everyone except the default host (me).
I tried the php_admin_value way and when i look at phpinfo() it shows that the master is disabled and the local is not disabled (exactly what i want) but they arnt actually enabled for me
I'm using Parallels Plesk 12.0 and a mysql-Server.
I'm logged in with a customer's account into his phpmyadmin. Whenever a client connects to his website (which uses the database of his account) I get logged out and receive a "session expired" error. When I log in again I get "there's already a user with your username logged in".
Our security comlience test got failed due to following reason
Synopsis:
The remote service encrypts traffic using a protocol with known weaknesses.
Description:
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Solution:
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.
We have Cpanel RHEL server. Please advise how to:
'disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See for Apache.'
RBL is blocking every incoming email. While waiting for the admin. How to disable it?
View 3 Replies View RelatedI can stop Dr Web from within Plesk Control panel, but every time server restarts - Dr Web is automatically started again.
Any possible way to disable it from running?
Also the same with Spam Assassin.
I am running CentOS
I would like to disable SSL 2.0 and use SSL 3.0, my question how i can do this and which file i have to modify or i have to upgrade from SSL 2.0 to SSL 3.0 ?
View 2 Replies View RelatedI am using a script, on which i want to enable friendly URL, below are the instructions.
Friendly URLs Settings
Apache Settings
(please add the following lines to your
.htaccess file to turn on friendly URLs)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /hcl/friendly_url.php [L]
</IfModule>
But, issue is, i am using IIS on Windows Server.
How can i implement this?
I want a rule in .htaccess that will convert all .com addresses into .co.uk ones as I have a .com mapped to the .co.uk address for the site.
View 7 Replies View RelatedI have a vds with godaddy. I uploaded my site and then uploaded .htaccess (AddHandler server-parsed .html) Then when I go to my site in browser I get this error.
Safari can’t open the page “mydomain”. The error was: “lost network connection” (NSURLErrorDomain:-1005) Please choose Report Bug to Apple from the Safari menu, note the error number, and describe what you did before you saw this message.
The thing is, I did the exact same thing on another domain with the same htaccess file and everything works fine. SSI is enabled on both.
I'm currently having a problem with a site of mine. The problem is that trying to go to domain.com/subdirectory/ (with or without the trailing slash) gets a 404 error (even though the directory exists).
However, domain.com/subdirectory/file.php works fine.
When trying to figure out what is causing this, I remembered that someone who recently did some work on this site had to add something to the .htaccess file. Here's what they added:
RewriteCond $1 !.(php|ico|gif|jpg|png|css|js|htm|html|txt|zip|pdf)$
RewriteCond $1 !^$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?/$1 [L]
I haven't done much with .htaccess, so I really have little idea what any of the above means or does (although I know it does something important).
So I guess my question is, could this bit of code be causing my problem? And, if so, how can it be corrected without messing up what this code was put there for in the first place?
My application is on Windows plateform and using IIS as webserver.
Can I use .htaccess to secure my directory...
Code:
RewriteCond %{QUERY_STRING} ^showtopic=([^&]+)&st=0$ RewriteRule ^forum/index.php$ [url]
I get a 500 Internal Server Error when I put that in my .htaccess file. Got it from [url]
htaccess file that will redirect all requests for the domain to --
https://www.
so what I want is all traffic to be secure and use the 'www'.
If I do rm -f *.* I see that .htaccess is not deleted
If I do copy -f *.* /somedir .htaccess is not copied.
Why?
What should I do to represent all files including .htaccess?
i have a mobile download site.. now i dont want users to directly download from my site.. i mean hotlinking..
I hav a referal thing in my .htaccess
RewriteCond %{HTTP_REFERER} !^[url](/)?.*$ [NC]
Now there is a flashget like software for mobiles.. i want that my users are able to download using that software but the prob is that soft doesnt sends any referal info.. so in my .htaccess i want to allow that software and i am trying this
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^.*FGet 1.0.*$ [NC]
RewriteCond %{HTTP_REFERER} !^[url](/)?.*$ [NC]
RewriteCond %{HTTP_REFERER} !^[url](/)?.*$ [NC]
RewriteCond %{HTTP_REFERER} !^[url](/)?.*$ [NC]
RewriteRule .*.(zip|avi)$ - [F,NC]
where FGet 1.0 is the HTTP_USER_AGENT send by the software, but this doesnt works.. can plz give me the right code for it