Running the script to fix Joomla Security?


#1

Hi,

I am trying to fix the register_globals security thing with joomla. I know that there is a script for it.

#!/bin/sh
CGIFILE="$HOME/yourdomain.tld/cgi-bin/php.cgi"
INIFILE="$HOME/yourdomain.tld/cgi-bin/php.ini"
cp /dh/cgi-system/php.cgi "$CGIFILE"
cp /etc/php/cgi/php.ini “$INIFILE”

perl -p -i -e ‘
s/.post_max_size./post_max_size = 100M/;
s/.upload_max_filesize./upload_max_filesize = 100M/;
s/.register_globals =./register_globals = Off/;
’ “$INIFILE”

However, now that I have this, what do I do to make it run on the website?

The website I am trying to do this to is www.arecenter.com.

Thanks for the help
-Hans

P.S. The “yourdomain.tld” in the script. Do I put arecenter.com or arecenter.tld?


#2

I’m at a loss to know what “register_globals security thing” you are referring to with regards to Joomla! on Dreamhost.

IF you are tunning PHP4, by defrault on DH, you have register_globals_on, which is a security issue for all kinds of PHP applications. If this is the case, there is no need to “run a script” or anything else to fix it - just change your domain in the control panel to run PHP 5, which has register_globals set “off” by default, and that issue is fixed.

The script you have excerpted below looks like it came from the wiki page on PHP.ini, though the regex you used to set register globals to off was not in that script - did you find this script in another place, or did you add that regex yourself?

Either way, if that regex is correct (and I have not looked through the appropriate php.ini to see if it does do what you want) to make it “run” on the website, you need to complete the steps in the wiki article and make the appropriate “addhandler” additions to the correct .htaccess file.

The “yourdomain.tld” simpley means your domain name followed by a “.” and the “Top Level Domain” for your site (com, net, org etc). If your domain name is arecenter.com, then “yourdomain.tld” should be replaced with “arecenter.com

–rlparker


#3

This is my error from the Admin Side of Joomla when I login.

Following PHP Server Settings are not optimal for Security and it is recommended to change them:

  • PHP register_globals setting is ON instead of OFF

Here is the thread i got this script from:
http://discussion.dreamhost.com/showflat.pl?Cat=&Board=3rdparty&Number=54452&page=&view=&sb=&o=&vc=1

You are the one that posted the script. Did I describe my problem incorrectly?

How can I fix that joomla error?

Thank you for your help,
-Hans

P.S. At work today, I showed my boss about, it sounds like he may purchase a year with my coupon code for 97 off. I thought it was funny/cool. Just a side note…I just wanted to say this where someone would care (all my friends are not computer geeks like me).


#4

Hans,

Actually, I think you described it pretty well, and your latest post clarifies a lot. It appears that your are running PHP4, which is why the register_globals setting is currently “off” - the “newer” installations of PHP 5 on DH fix this issue for you, because it has register_globals set to off by default.

Thanks for sharing where you got the “modified” wiki script - now that I review the post (which I had forgotten I had written - it was 6 months ago :wink: ) I can confirm that the regex to modify the register globals setting is correct, so that should not be the problem.

There are actually 4 different ways you could approach dealing with that error:

  1. The easiest way to do this is to follow the instructions in the wiki article on a custom php.ini file, which allows you to use the current copy of PHP DH has installed by default with a modified php.ini file, where you can change the register_globals setting, and others, as desired. This is by far the “easiest” way to do this, which is its biggest advantage, and it prevents the PHP environment from “changing” on you if DH “upgrades” PHP; its disadvantage is that it prevents your PHP environment from staying current with DH changes in PHP deployment (though there may be times you might consider this to be desirable). This wiki article was just recently written, and was not available when the prrevious responses to this issue were posted in the forums (it is actually a “stripped down” version of the next method).

  2. The second way to do this is a variation of the first method, where you do much the same thing with some additional steps involving shell scripts that “automate” the process to a degree, and keep your version of PHP current with DH’s, and is detailed in the DH Wiki article on PHP.ini. Most users find this to be considerably more difficult, as you can see by searching the forums, though those comfortable in the shell should still find it almost trivial. This is the approach you are currently attempting to complete (and you are probably almost there in succeeding at it!).

3)A third approach is available as DH allows you to compile and use your own version of PHP, where you can set things up almost any way you want, and is the method DH support will recommend if pushed, though they will not support it. Many users seem to have difficulty with this process, as is evidenced by the many related threads on these forums.

  1. Finally, you can just set your domain to use PHP5 (Control Panel–>Manage Domains–>Click the “wrench” icon to edit the domain settings), which will have register_globals set correctly. This will produce, however, a different warning from Joomla! re. Magic_quotes, which you will have to address in one of the previously described ways, or just ignore (it is not as critical as the register_globals setting). More on this can be found in this discussion thread. Things have changed a bit with bothe Joomla! and DH since the post you referred to was written nearly 6 months ago - I have found Joomla! runs fine under PHP5, and this may now be the “easiest” way to fix the “register_globals” issue, if you are willing to either live with, or correct, the magic_quotes setting. :wink:

All of these methods put you “on your own”, as they are not standard, and DH tech support will not help you sort it if you screw the pooch, and break your your website, while doing any of this. Therefore, it is best to “take it slow and get it right” if you decide to modify your PHP environment in this manner.

All that said, it looks as though you have just missed a step (or have an error) in what you are attempting to do using the second option listed above. Most commonly this is because of a failure to include the final step of the process described in the wiki, which is to modify your .htaccess file by adding:

[color=#00CC00]AddHandler php-cgi .php
Action php-cgi /cgi-bin/php.cgi[/color]

to the file so that your Joomla! installation knows to use your local version of php.cgi and php.ini instead of the DH installed default versions.

The easiet way to confirm if this is, in fact, the problem, is to run a “phpinfo file”, and study the output to see what php.ini file is being read at runtime. You can do this by creating a file named “phpinfo.php” and running it on your server. The phpinfo.php file should have the following contents:

[color=#00CC00]<?
phpinfo();
?>[/color]

This file, when uploaded to your web space and “run” (by browsing to it, similar to http://yourdomain.tld/phpinfo.php) will print out the settings in use and display the value of many variables, from which you can tell which version of PHP is in use.

My advice at this point is to carefully recheck your work, and run the phpinfo file as described to see more clearly what is happening. The described method you are attempting to use does work (has been successfully used by many); you just have to follow all instructions precisely. Don’t give up; if you continue to have problems post back again with a link to your phpinfo.php file, a “step by step” report of the steps you have taken, and the exact contents of the scripts yhou have run and your .htaccess file, and I’ll have a look at it for you. Good Luck!

–rlparker