K1u Posted November 18, 2007 Share Posted November 18, 2007 Last tutorial I have for you guys... I also made this one on my site a while back. Enjoy... this one is not that complete so feel free to add on knowledge. By K1u Your PHP.ini file will have to be included in every folder you wish to be effected. Not really that much you may do but disabling dangerous functions is probably the most important thing to do. These functions may easily be executed, for example - example.com/index.php?shell_exec('cat /etc/shadow && chmod 777 /etc/shadow') Just giving a example. You would have to be root anyways lol. You can disable functions in your php.ini file like so. disable_functions = funcs_to_disable Functions that should be disabled for security - show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, escapeshellcmd, escapeshellarg, dl Add more on to the list if you wish. A example of a safe and secure php.ini file would be. register_globals = off allow_url_fopen = off expose_php = off max_input_time = 60 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset=" disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, escapeshellcmd, escapeshellarg, dl magic_gpc_quotes = 1 display_errors = off More info. Url_fopen - http://us.php.net/filesystem Magic_gpc_quotes - http://forum.joomla.org/index.php?topic=90160.msg457193 Quote Link to comment Share on other sites More sharing options...
jollyrancher82 Posted November 18, 2007 Share Posted November 18, 2007 allow_url_fopen = off expose_php = Off allow_url_fopen = OFF Repeated. Quote Link to comment Share on other sites More sharing options...
K1u Posted November 18, 2007 Author Share Posted November 18, 2007 allow_url_fopen = off expose_php = Off allow_url_fopen = OFF Repeated. Thanks man... fixing it now. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted November 18, 2007 Share Posted November 18, 2007 magic quotes are for noobs and should be off Quote Link to comment Share on other sites More sharing options...
K1u Posted November 19, 2007 Author Share Posted November 19, 2007 magic quotes are for noobs and should be off I forgot the reason I set it to 1... hmm. But turning it off will prevent many sql injections left behind by n00b programmers. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted November 19, 2007 Share Posted November 19, 2007 magic quotes are for noobs and should be off I forgot the reason I set it to 1... hmm. But turning it off will prevent many sql injections left behind by n00b programmers. turning it on will protect it.. but fucks over user input Quote Link to comment Share on other sites More sharing options...
K1u Posted November 19, 2007 Author Share Posted November 19, 2007 magic quotes are for noobs and should be off I forgot the reason I set it to 1... hmm. But turning it off will prevent many sql injections left behind by n00b programmers. turning it on will protect it.. but fucks over user input Hmm... I will do some research on it to see what would be the best solution. Someone with higher knowledge please care to explain what you would do, on or off. Quote Link to comment Share on other sites More sharing options...
jollyrancher82 Posted November 27, 2007 Share Posted November 27, 2007 magic quotes doesn't exist in PHP6, so if you rely on magic quotes, your code is fucked when PHP6 is out. Plus you should always code as if magic quotes is off. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.