How To Secure Your Php.ini File Safe Mode ; Disable_functions ; Etc
what are the most important issues for secure php.ini file like when you turn your SAFE_MODE ON or OFF?
or please who every read this topic to post his important disable_functions in php.ini ... and if some functions disable to post it ...
let's make this subject for the most important issues for secure your php.ini
from script-kids as we can ...
here i have some important question's for anyone has or controlling a server ; vps ....
#0x01 ; what the most important disable_functions for the php.ini?
#0x02 ; is the safe_mode should be enabled? or disable? and this depend on what exacly?
#0x03 ; what the functions or any trick to control the nobody ( attacker on the server or shell ) FROOZ .... didn't move ? or make any command in the server ...
#0x04 ; i saw in some secure server ( as they say ) they changed the Server : discribe to them name[s] like
Server : SECURE BY US .COM OR SECURE SERVER ..
uname -a : Linux secure.secure.com 2.6.9-023stab040.1 #1 Mon Jan 15 23:24:32 MSK 2007 i686 athlon i386 GNU/Linux
sysctl : linux 2.6.9-023stab040.1
Server : SECURE BY US ! < [THIS WHAT I MEAN HOW COULD WE CHANGE IT IN PHP.ini ?]
id : uid=99(nobody) gid=99(nobody) groups=99(nobody) <[how can we cannot make this nobody to have the host id ! everyhost in the server should have his own name and php.ini ?]
pwd : /home/host/public_html/
#0x05 ; how can we hide the uname -a on the shell [ the attacker upload it to our customer site !]
#0x06 ; how can we hide the sysctl to view to anyone like [ attacker ] ...
#0x07 ; how can we rewrite on he Server Type the display for our secure message?Server : SECURE BY US !
#0x08 ; how can we give evey site and customer his php.ini file in his public_html? and how can we give him [ JUST HIS PERMISSION TO HIS SITES FOLDER AND NOT OTHER PATHS AND PERMISSION!]
these question every one had a server ; vps , need to know and secure his box from other ...
and anyone would like to publish any new [secure or not] idea please let us know what you would like to say ....
View Complete Thread with Replies
Sponsored Links:
Related Forum Messages:
How Can I Secure Server Without Safe Mode
i have vps and i enable the safe_mode , but now i need to turn it off becouse i need to install image uploader script and this script need safe mode off to work so, what can i do to secure my server while i turn off my safe mode? what can happend if i turn off safe mode? what is the job of safe mode?
View Replies!
View Related
Php Safe Mode
i need to enable php safe mode on for my joomla and i came across this Quote: When the php safe mode is turned off globally by default at our server end, you can still override the setting to turn it ON for only your domain by just insert the following line inside the ".htaccess" file (at Linux server): Code: php_value safe_mode "1" my joomla .htaccess file: Quote: ## # @version $Id: htaccess.txt 10492 2008-07-02 06:38:28Z ircmaxell $ # @package Joomla # @copyright Copyright (C) 2005 - 2008 Open Source Matters. All rights reserved. # @license http://www.gnu.org/copyleft/gpl.html GNU/GPL # Joomla! is Free Software ## ##################################################### # READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE # # The line just below this section: 'Options +FollowSymLinks' may cause problems # with some server configurations. It is required for use of mod_rewrite, but may already # be set by your server administrator in a way that dissallows changing it in # your .htaccess file. If using it causes your server to error out, comment it out (add # to # beginning of line), reload your site in your browser and test your sef url's. If they work, # it has been set by your server administrator and you do not need it set here. # ##################################################### ## Can be commented out if causes errors, see notes above. Options +FollowSymLinks # # mod_rewrite in use RewriteEngine On ########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # # Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2}) # Send all blocked request to homepage with 403 Forbidden error! RewriteRule ^(.*)$ index.php [F,L] # ########## End - Rewrite rules to block out some common exploits
View Replies!
View Related
PHP Safe Mode
I would like to know as to whether or not you have php safe mode turned on? If you do, please specify why, and would you allow your clients to turn it off?
View Replies!
View Related
Php Safe Mode OFF And Security
I have found on one webhost that they have very cool feature: Here is what they say: Quote: Browsing through any webhost related forum will reveal that giving safe mode off poses extreme security risk to the server. Because it offers hackers a great advantage to access any other members account or read their sensitive files which usually contain passwords. But then some genuine scripts won't work with safe mode ON. Meaning you could turn it on per member requests but that takes lots of labor. So we completely reprogrammed the safe mode PHP source code and recompiled it. As a result ours safe mode OFF is light-years safer & hacker-proof then standard PHP v5 safe mode ON. So all our members are getting safe mode OFF, with harder security then those hosts who offer Safe Mode ON. So now I am wondering, how they did that? I have searched forums and Google for lots of different keyword but haven't found anything. I believe a lot of you running Apache as nobody and having php save mode OFF. It there any way you protect yourself? phpsuexec is not a solution now as it increasing load.
View Replies!
View Related
PHP Safe Mode Local Stays On, But Global Off
I've recently upgraded from Shared hosting to a VPS. I'm currently getting my new VPS setup before migrating my site over. On my shared server, both the global and local safe_mode directives were reported as off by php_infO(). On ym new server, the global is reported as off, but local is reported as on. On my old server, the PHP was version 4.4.9 running as a CGI. On my new server, PHP 5.1.6 is running as an Apache 2.0 Handler. I have already set safe_mode to off in my global php.ini file (hence why global is reported by off). However, I have no local php.ini files, htaccess files, or php directive settings in place, so I cannot figure out why local is set to on! I've tried editing httpd.conf to include "php_admin_flag safe_mode Off", though I'm not certain I put it in the right place. There is only one website on this server. With the CGI php on my old server, I was able to create a local php.ini file to overwrite global directives, but that seems to have no effect with the Apache Handler on my new server.
View Replies!
View Related
Prevents Users From Overriding System Php.ini In SuPHP Mode
this is simple steps to Prevents users from overriding system php.ini in suPHP mode .... in CPanel servers first : you must make sure that suphp is installed as default handler than just edit your httpd.conf file or php.conf file ( will be better to use php.conf ) now add this line : Quote: suPHP_ConfigPath /usr/local/lib or ( Zend ) Quote: suPHP_ConfigPath /usr/local/Zend if you need to use only php.ini config file : Quote: suPHP_Config /usr/local/lib/php.ini
View Replies!
View Related
About Secure Php.ini Directories
how can i secure the following options in php with whm box this is my php.ini settings Code: open_basedir = /home:/tmp include_path = ".:/usr/lib/php:/usr/local/lib/php:/usr/lib/php/extensions:/usr/lib/php/extensions/no-debug-non-zts-20020429:"; safe_mode_gid = Off safe_mode_include_dir = safe_mode_exec_dir = i want no one can access other user (User Bypass) with php shell i am running whm with apache 1.3.39 and php 4.4.7 phpsuexec how can i secure these options
View Replies!
View Related
Is It Secure To Let The Customer Use Thire Own Php.ini
while i'm running php as a cgi moudle and running SuExec , is it secure to let the customer use thire own php.ini file , for example /home/someuser/public_html/php.ini ?? while putting in mind that using thire own php.ini will let them to change the disable_function , so if there is any disable_functions in the original php.ini they can remove it for thire website. So is that action is secure for the server?
View Replies!
View Related
Php.ini And .htaccess File Permissions
I'm on a shared FreeBSD server, running Apache with Drupal, and vBulletin. I had to create a local php.ini file in my public_html folder for Drupal, and another in my forum folder for vBulletin. Now my question is, what should I set the permissions of these files to? Also, what should I set .htaccess permissions to as well? I'd like to keep them invisible to the public. But, I don't want any problems with Drupal, or vBulletin ether. I'm used to using Linux and I know how permissions work on a desktop. I just don't know what they do when used on a server. I'm guessing 640, but I'd like to make sure before I change anything.
View Replies!
View Related
Safe Mode On Or Off
Should i switch safe mode on or off . Right now i am using it as on some one told me if i switch it off then server can easily hack but becoz i switch it on im having too much problem specially users of sites having problem of uploading and wordpress also have issue and some more script what you say what should i do?
View Replies!
View Related
Safe Mode VPS
I have a script that needs safe mode off to run, the script writers have said safe mode is disabled as default and not required and even disabled in php 6 Now I'm not to fimular with Safe mode, all I know is most scripts are wrote to work with this on
View Replies!
View Related
AWBS Vb Safe Mode
To Install www.awbs.com scripts to my server How Can I Do This Following to one site on My server safe_mode Off allow_url_fopen On session.auto_start Off tell Me that i can do that from httpd config
View Replies!
View Related
Safe Mode OFF And Open_basedir Set...
I am going to run a free host, yes I know I should post this in FWHT but well, they dont answer very fast if at all. It is very dangerous to have Safe Mode OFF on a free host, but someone was telling me about open_basedir, which makes it so they cant touch any files set outside of open_basedir. Would this be suffiecient to keep them from touching others files? I know I need to disable other functions like exec() and stuff but would open_basedir keep hackers away from others files and hacking them...
View Replies!
View Related
Stop Exploits And Malicious Execs: Safe Mode
I decided to apply PHP safe mode to my servers, considering: - I cannot prohibit using exec functions (some binary uses are needed, like host, mysqldump, etc..) - I cannot restrict at all via UID/GID method at bins due to several problems.. Safe mode is the final sollution, as I only need "safe_mode_exec_dir" config to set a folder with the necesary binaries... this will stop nobody user (Apache) to exec whatever it wants, like perl, binaries uploaded to an public insecure folder (exploits), or anything else... people only could exec() the binaries I want and where I want. This will stop finally 95% of my hack problems. Well. The problem is safe_mode is enabled or not, but you cannot set o disable certain features of this safe mode, like UID/GID checks (*******!)... I am trying to configure so only "safe_mode_exec_dir" would apply, so: - Including UIDs checks disabled by: safe_mode_include_dir = "/home/" (tested) - Some variables set to NULL, as safe_mode_allowed_env_vars or safe_mode_protected_env_vars... - safe_mode_exec_dir = "/usr/phpbin/" Great! with symbolic lynks in... the best sollution available for me. - open_basedir = "/home/" (for fopen, etc...) Ok ok.. but problems there.. by example this one: Quote: Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32015 is not allowed to access cache/dynamic_fields/modules.php owned by uid 99 in /home/yyyyyyyyy/public_html/chn/modules/DynamicFields/DynamicField.php on line 823 Great.. fopen is under UID/GID checks, but it is not an include, so safe_mode_include_dir would not apply... Now fopen, link, unlink, etc.. functions are UID restricted and this seems to be impossible to disable.... pffffffff... can you share your safe_mode configs or sollutions for this problem?
View Replies!
View Related
PHP In Apache Mode
I currently have one server running PHP in suPHP mode. One of my friend told me that if i change the PHP to Apache Mode, this would decrease my server load a lot and thus give more performance. Anyone can tell me what mean changing PHP to Apache mode? Is that something i can do from WHM? Will this affect the domains currently hosted on my server?
View Replies!
View Related
Apache Mode PHP Software Testing
For the purpose of software testing, I'm looking for the cheapest possible web host which provides:PHP 5 in apache mode, without suPHP (this is primarily what I'd like to test -- I already have a host with suPHP) PHP's ftp extension MySQL either fopen URL wrappers enabled or CURL (or both) I don't care if it doesn't support domain names, has 50% uptime, is really slow and has a 100mb monthly transfer cap. Just need to check that new releases of my scripts work right on it. (Setting up an FTP server on my desktop seems too much trouble and unnecessary danger.)
View Replies!
View Related
How To Allow PHP.ini
how I can allow customers to place a PHP.ini in certain directories to override some basic settings like "upload_max_filesize" and what not. I have seen this done before but not sure how to get it working.
View Replies!
View Related
Php.ini
I am unable to find php.ini on my server. [root@sml101 ~]# whereis php.ini php: /usr/bin/php /etc/php.ini /etc/php.d [root@sml101 ~]# cat /etc/php.ini memory_limit = "32M" include_path = "".:"" short_open_tag = "On" file_uploads = "On" safe_mode = "Off" [root@sml101 ~]# But in above php.ini file there is nothing to do, i want to change register_global on but php.ini seems to be missing or hidden. I have taken php info function on a domain and it is showing following path: Configuration File (php.ini) Path /etc/php.ini
View Replies!
View Related
Allow Custom Php.ini
I would like to know how to allow customers to use their own php.ini file. I have had hosts in the past that allowed you to use a custom php.ini file so long as you put it in every directory that you would need to use it. I was just trying to figure out how this is done as I am new to all of this and trying to learn.
View Replies!
View Related
PHP.ini Override
i use Cpanel/WHM , how can override php settings when php run az CGI ,when i put php.ini in root of any website the setting didn't override main php.ini settings.
View Replies!
View Related
How To Custom Php.ini
I'm using CentOS 5, Cpanel/WHM with php as cgi, when i try to put a php.ini file to to custom php for one account and it overwrite main setting on our server, someone use this bug to run c99 and try local attack other account, i've try fix this problem by edit /opt/suphp/etc/suphp.conf and set phprc_paths to /usr/local/lib/. But when i do this, php.ini in my custom account doesnt work any more... How can i custom php for one account and it not effect to main setting to prevent local attack?
View Replies!
View Related
Local Php.ini
I run multiple domains/sites on my linux server. I know there is a php.ini files that comes with the php installation package. But I have heard that there is a way to create a local php.ini file for each domain. Does anyone knows how to create local php.ini files for each domain. Is there a special setting i need to do to make it run?
View Replies!
View Related
Php.ini Being Truncated
Whenever I edit the /etc/php.ini file and change something, (like Off to On, or vice versa), it always becomes truncated, going from approximately 38kb to about 3kB. Almost everything gets erased. Would anyone know how this could be caused, or more importantly, how it can be fixed? I have a Linux CentOS 4.4 VPS with Virtuozzo.
View Replies!
View Related
Customised Php.ini
There is a shared server running PHPSuexec, and we need to change some php settings, and therefore doing that in .htaccess is not possible. We copied php.ini from /usr/local/lib/, made a modification and placed it in the web root path. I thought that any settings that have been changed would 'propagate' throughout the rest of the website (i.e. all paths underneath the web root, in the heirarchy), but unfortunately, we have found out that this is not the case. The settings that were modified, were only reflected in the web root path. Is there some method to ensure that the php modifications are reflected throughout the entire website ? We don't really want to have to place a copy of the entire (modified) php.ini in every path.
View Replies!
View Related
Suhosin And Php.ini
i have a dedicated server and i have installed suhosin through els well els never asked me for configurations or anything ,, it just installed it any way i'm trying to install AWBS on my server ,, AWBS needs safe_mode to be off so i went (pico /usr/local/lib/php.ini) all the lines were commented suhosin added this to every line at the begining PHP Code: ;suhosin.version=0.9.20 so everyline became commented any way i was trying to turn off the safe mode so i searched for it and replaced On with Off but the changes didn't take effect (locate suhosin) found bunch of folders and suhosin.so files that i couldn't manage is installing this extension ,, replaces the php.ini effect with another one ??? how can i configure php.ini to turn off the safe mode and also disable some functions while suhosin is there + how to remove suhosin without losing any data which command shall i use
View Replies!
View Related
Change Php.ini
I have a problem that am not able to connect with mssql_connect() function to MSSql server. Error is: undefined function mssql_connect(). On local this problem is get solved by uncomment extension=mssql_php.dll and extension=mssql_pdo_php.dll line by removing ";" in front of it. ::But how do i same on the online server?. ::If possible with coding or is thr any other way to do this plz let me know? ::If thr is a way to change .htaccess file to make this change or any better solution with .htaccess.. ::If thr ia a way to change the path for php.ini and we put our php.ini file in other folder and access that rather than php.ini on server.
View Replies!
View Related
Custom Php.ini
I have a reseller account on a server, and I have a client who needs to used a custom php.ini file to set the session.save_path variable. He has created this file and placed in the public_html folder, but this path still comes up as 'No Value' and the Configuration File Path still reads '/usr/local/Zend/etc/php.ini '. What do I need to do to get this site to read from the correct php.ini file? I tried setting this in the .htaccess file, to no avail.
View Replies!
View Related
Php.ini On Ubuntu Is Confusing Me
I am all too familiar with php on my win box but now am working on Linux. the extension_dir is commented out (??) however CURL does work but there is nothing about CURL in php.ini. I cant find any php.so files. Also the php.ini file lives in /etc/php5/apache2 Does this look like a standard install? Where do the .so files live? Ultimatly I want to install Turck MMCache which requires some extensions and when ever I try to do phpize there is the error message Cannot find config.m4 (google is not helping solve the problem) apt-get install m4 says I have the latest version. phpize is a shortcut in usr/bin that points to etc/alternatives/phpize which in turn is a shortcut to usr/bin/phpize5
View Replies!
View Related
CPanel Php.ini Override
I am setting a dedicated server for a mate with cPanel/WHM 11. He says he wants a custom php.ini file such that you can override the settings when you upload a php.ini file in /home/site/public_html/ how to allow this in the global settings?
View Replies!
View Related
Php.ini Error Handling
If I have a php page with no errors, everything works fine. If I remove a semicolon so it should give me an error, it displays nothing but a white page... Also, there is no error_log created. php.ini error config: Code: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Error handling and logging ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; error_reporting is a bit-field. Or each number up to get desired error ; reporting level ; E_ALL - All errors and warnings ; E_ERROR - fatal run-time errors ; E_WARNING - run-time warnings (non-fatal errors) ; E_PARSE - compile-time parse errors ; E_NOTICE - run-time notices (these are warnings which often result ; from a bug in your code, but it's possible that it was ; intentional (e.g., using an uninitialized variable and ; relying on the fact it's automatically initialized to an ; empty string) ; E_CORE_ERROR - fatal errors that occur during PHP's initial startup ; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's ; initial startup ; E_COMPILE_ERROR - fatal compile-time errors ; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) ; E_USER_ERROR - user-generated error message ; E_USER_WARNING - user-generated warning message ; E_USER_NOTICE - user-generated notice message ; ; Examples: ; ; - Show all errors, except for notices ; ;error_reporting = "E_ALL" ; ; - Show only errors ; ;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR ; ; - Show all errors except for notices ; error_reporting = E_ALL & ~E_NOTICE ; Print out errors (as a part of the output). For production web sites, ; you're strongly encouraged to turn this feature off, and use error logging ; instead (see below). Keeping display_errors enabled on a production web site ; may reveal security information to end users, such as file paths on your Web ; server, your database schema or other information. display_errors = On ; Even when display_errors is on, errors that occur during PHP's startup ; sequence are not displayed. It's strongly recommended to keep ; display_startup_errors off, except for when debugging. display_startup_errors = Off ; Log errors into a log file (server-specific log, stderr, or error_log (below)) ; As stated above, you're strongly advised to use error logging in place of ; error displaying on production web sites. log_errors = On ; Set maximum length of log_errors. In error_log information about the source is ; added. The default is 1024 and 0 allows to not apply any maximum length at all. ;log_errors = On; ; Do not log repeated messages. Repeated errors must occur in same file on same ; line until ignore_repeated_source is set true. ignore_repeated_errors = Off ; Ignore source of message when ignoring repeated messages. When this setting ; is On you will not log errors with repeated messages from different files or ; sourcelines. ignore_repeated_source = Off ; If this parameter is set to Off, then memory leaks will not be shown (on ; stdout or in the log). This has only effect in a debug compile, and if ; error reporting includes E_WARNING in the allowed list report_memleaks = On ; Store the last error/warning message in $php_errormsg (boolean). track_errors = Off ; Disable the inclusion of HTML tags in error messages. ;html_errors = Off ; If html_errors is set On PHP produces clickable error messages that direct ; to a page describing the error or function causing the error in detail. ; You can download a copy of the PHP manual from http://www.php.net/docs.php ; and change docref_root to the base URL of your local copy including the ; leading '/'. You must also specify the file extension being used including ; the dot. ;docref_root = "/phpmanual/" ;docref_ext = .html ; String to output before an error message. ;error_prepend_string = "<font color=ff0000>" ; String to output after an error message. ;error_append_string = "</font>" ; Log errors to specified file. error_log = "error_log" ; Log errors to syslog (Event Log on NT, not valid in Windows 95). ;error_log = error_log;
View Replies!
View Related
Extension_dir Setting In Php.ini
I have just installed a php download script from rwscripts.com. My web host is netfirms, and I've set it to PHP4 (same as the php script I got). However, after the installation was completed, I'm getting this error messege. "extension_dir does not exists /usr/local/nf/lib/extensions/no-debug-non-zts-20020429" I've found this from rwscript's FAQ: "extension_dir does not exists /usr/lib/php/extensions/no-debug-non-zts-20020429 The extension_dir setting in php.ini should point to the real directory for SourceGuardian loaders to work (as well as any other dynamic PHP extension). This may be any directory on server. Common setting is /usr/local/lib/php/extensions. Please contact your server provider about this issue. They need to create this directory and alter the setting in php.ini and then restart the webserver. " But I don't really understand. I've contacted Netfirms, but they never replied me. Where can I change the php.ini config? Is there any better webhosting who supports php,
View Replies!
View Related
Unable To Make Changes To Php.ini
i'm trying to configure PHP, as I really need to turn magic quotes off and raise the memory limit. i don't want to use .htaccess - too many sites I got plesk 8.2.1, php5.1 well, to make it short, I ran 'phpinfo()' to see where php.ini was: etc/php.ini I change that, restart httpd, nothing happens. restart the server, nothing still. my changes are not applied when I run 'phpinfo()' again. i try 'locate php.ini' from the terminal, there are a few! /usr/local/psa/admin/conf/php.ini /usr/local/psa/admin/conf/php.ini.def /usr/local/sitebuilder/php.ini /etc/php.ini /etc/php.ini. /etc/php.ini.saved_by_psa /etc/php.ini.rpmsave ... plus some in the opt folder (that should be just the cache, uh?) the problem is that I tried to open all of them, to see where the hell php was getting the settings from, but none of them seem to reflect php's settings. meaning, I don't know what file I can use to configure PHP. all of them, for instance, say 'memory_limit: 32M', but php is set at 8M, and phpinfo() tells me memory_limit 8M. any idea why this might be happening? does Plesk have some tool to configure PHP that makes PHP ignore my changes?
View Replies!
View Related
How To Disallow Php.ini Overriding
if i enabled phpsuexec the client can remove all disable_functions and every thing if he just uploaded php.ini to his public_html folder i thought about this: ln -s /usr/local/lib/php.ini /home/user/public_html/php.ini and it work perfectly but if the user triad to make edit via FTP to the file he will see the file content but can't edit i triad to chmod to 0 but it will stop PHP is there any solution to stop the user see the content for the file?
View Replies!
View Related
Php.ini Store Sessions In Database
Is there a way in the php.ini file to force all sessions to be stored in a database? For example, in ColdFusion you can configure sessions to be stored in a db. Can you do this in PHP? Thereby forcing all sessions no matter what the customer specifies to be stored in a db.
View Replies!
View Related
|
TRACKER
