The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.htaccess, php, secure issue

Discussion in 'General Discussion' started by kuwaitnt, May 6, 2006.

  1. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    hello all

    can i ask for help

    i have server and provide share hosting :)

    and i have set the php.ini to

    safe_mode = on
    global_registres = off
    and disable some function (system,exec ...etc)

    my question is :

    1- can my client use .htaccess file to set safe_mode to off and globael_registres to on ??

    2 - i have set safe_mode to off and global_registres to on for one site on vhost on httpd.conf
    so it was work great but i use AWBS script (awbs.com) and when i run cron job i have this error massage

    <br />
    <b>Warning</b>: set_time_limit(): Cannot set time limit in safe mode in <b>/home/XXXXX/public_html/tools/master_cron.php</b> on line <b>3</b><br />

    and as i say i have set safe_mode to off for this site so how can fix this issue ??

    3 - i use mod_security can our client disabel it from .htaccess file ??

    4 - how can i run my php compiler as CGI Mode ??
     
  2. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    are there any one can help ??:rolleyes:
     
  3. NT

    NT Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    137
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    Hi,

    Take a look here to see a list of what is configurable, and how you can configure them.

    Hope that helps.
     
  4. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    :) thanks NT but there are no useful thing on that page
     
  5. NT

    NT Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    137
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    On the contrary - if it is PHP_INI_PERDIR or PHP_INI_ALL, then it can be set in htaccess.

    All you need to do is find the directives you want to check, and if they match the constants above, you can set them through htaccess.
     
  6. NT

    NT Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    137
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    To answer your questions:

    Safe Mode can't be set in htaccess
    Register Globals can be set in htaccess

    Hope that helps :)
     
  7. bidouilleur

    bidouilleur Well-Known Member

    Joined:
    Apr 27, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    True you can manipulate some settings via .htaccess but ...

    You cannot manipulate the php.ini settings with .htaccess when running PHP as cgi/phpsuexec. If you are using .htaccess with php_value entries within it, you would receive an internal server 500 error when attempting to access the scripts. This is because PHP is no longer running as an Apache module and Apache will not handle those directives any longer. All PHP values should be removed from your .htaccess files to avoid this issue.

    source
     
  8. kuwaitnt

    kuwaitnt Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    :) thanks all


    but the importent question

    are there any solution to fix this issue

    <br />
    <b>Warning</b>: set_time_limit(): Cannot set time limit in safe mode in <b>/home/XXXXX/public_html/tools/master_cron.php</b> on line <b>3</b><br />


    ?? and as i say i have set safe_mode on on httpd.conf for all web site only one web site i set to off
     
  9. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    If you do not have phpSuExec then the client cannot override safe_mode but
    they will be able to enable register_globals. If you are using phpSuExec then
    then client will be able to override both of these values which is one of the
    reasons I'm not particularily keen on phpSuExec.

    Some commands like safe_mode, disable_functions, and a few others are ignored
    when they are are put in httpd.conf or .htaccess files because those items would
    be useless if they could be changed in those places because the client would
    also have full access to change those values.

    Unfortunately ... YES! And we are actually having a lot of problems with that right now
    at our hosting service and have implemented a "you disable, you get deleted" policy.
    Most of the users caught disabling mod_security are doing so to unblock disallowed
    content and that is unacceptable.
     
  10. clook

    clook Well-Known Member
    PartnerNOC

    Joined:
    Jun 9, 2002
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Preston, UK
    See here: http://www.modsecurity.org/document...3/html-multipage/03-configuration.html#N1027D

    You can compile mod_security with the -DDISABLE_HTACCESS_CONFIG flag which will prevent any users disabling or modifying your mod_security ruleset.
     
  11. kev888

    kev888 Member

    Joined:
    Aug 17, 2005
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    I'm curious how they'd first disable it, what command in HTACCESS and how you could scan for those users who did it?
     
  12. Secret Agent

    Secret Agent Guest

    How do I enabled safe mode On for one client? I have register globals off and phpsuexec support enabled as well
     
  13. sumith

    sumith Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    96
    Likes Received:
    2
    Trophy Points:
    8
    Put the php.ini under the home directory of that particular user and "turn on" safe mode in that php.ini file.
     
  14. joel69

    joel69 Active Member

    Joined:
    Feb 17, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    East Vancouver, BC, Canada
    Going bananas!

    Hello. I have encountered the same problem. I have register_globals disabled in /etc/php.ini for security reasons, and phpSuExec enabled. Now comes along a customer who has php scripts that require register_globals to be enabled. So I copied /etc/php.ini to his home directory ( eg: /home/user1 ). I also copied it to /home/user1/etc, /home/user1/public_html, and /home/user1/public_html/includes ... I put a file called phpinfo.php (with the contents: <?php phpinfo(); ?> ). According to the output of that file, register_globals is still off. Apache has been restarted serveral times with both /scripts/restartsrv_apache and service httpd restart, but still I am seeing the same resutls. PHP is 5.0.5, created with /scripts/easyapache . The permsions on the php.ini file are 644, and the user and group of the php.ini file are set to the user who needs register_globals enabled.

    This is DRIVING ME NUTS! In the past I have enabled register_globals for a single site using the same technique, and it worked. Does anybody have any idea why it would not work in this case? :rolleyes: :mad: :confused:
     
  15. sleddog

    sleddog Active Member

    Joined:
    Jun 13, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Labrador, Canada
    The php.ini must be place in the same directory as the PHP scripts. If you have scripts in multiple directories or subdirectories, a copy of php.ini must be place in each directory or subdirectory.
     
  16. dreamwiz

    dreamwiz Well-Known Member

    Joined:
    Aug 28, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    First of all - I only bring this topic up because it's not that old and many may find it useful.

    If you run PHP in CGI mode and your upgrading to PHP 5.1.x, per-directory php.ini will NOT be supported anymore. PHP says this has been removed because it was not a documented feature. Maybe you wanna use .htaccess instead... though you cant do everything with it neither.
     
  17. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I don't recommend ever having register_globals turned on!

    If you have a client that is using an old outdated script still requiring
    register_globals, I'd recommend that they either upgrade the script
    to a version that doesn't require register_globals or modify the script
    to not need register_globals.

    Incidentally, it's rediculously trivial to change a script to not need
    register_globals and generally involves only adding a couple lines
    of code to the beginning of the script!
     
Loading...

Share This Page