[WARNING] : PHP setting register_globals should be disabled on your server [WARNING] : PHP setting register_globals should be disabled on your server
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[WARNING] : PHP setting register_globals should be disabled on your server

Started by Abbas Ali, May 21, 2009, 04:56:39 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Abbas Ali

Having the PHP setting register_globals enabled on your webserver is a bad idea in terms of security. It's strongly recommended to turn it off. If you don't have control over the webserver and therefore can't do that, ask your webhost for support.  Most webhosts should be happy to help you turn register_globals "off" because it removes potential security holes in all PHP scripts.  In addition, register_globals has been marked a feature to be removed in the next version of PHP and so all scripts need to work with register_globals "off" in the near future.  Some webhosts have a simple way to change the register_globals setting on the webhost's control panel. If the webserver is yours to administer (i.e. if you're self-hosting, which the dev team does not recommend), you need to edit php.ini, find the line that starts with register_globals and edit it accordingly. Save your changes and restart the webserver service/daemon.

Do not ask how to turn register_globals off in this thread nor in other threads on this forum, as we don't know how your webserver is set up and therefore can't answer that question. Usually, you are not able to change that in the first place if you're webhosted, but only your webhost can change it for you. The only place to ask for help is your webhost. Older, badly-written scripts may require register_globals to be enabled. Coppermine is not one of those scripts that require register_globals "on".  Although Coppermine works with register_globals turned on or off, it is strongly recommended to turn register_globals off.

In general, register_globals set to "on" might result in your site getting hacked!

For technical information about the security implications of register_globals, go to this page (on PHP.net).
Chief Geek at Ranium Systems

Master of Disaster

I asked my webhoster to turn off register_globals. It would cost me 10 € to change this parameter. Is it worth the 10 €?

isajade

My webhost replied that it would turn off many securised scripts.

To keep it ON that have many protections, so it's not a problem.

QuoteMettre en OFF register_globals bloque de nombreux scripts qui sont
pourtant sécurisés.
Afin de permettre de garder la variable ON, nous avons d'autres
protections bien plus efficaces.

Aucun souci donc.

:-\

Joachim Müller


isajade

Thank you for your reply. My webhost says that I'm perfectly safe with it turned ON.

(sorry his reply is in French)
QuoteCe n'est pas une fadaise, c'est une réalité. Certains scripts ont besoin
de register_globals.
Malheureusement je ne peux pas la mettre en ON sur le serveur. Sinon de
nombreux clients vont être bloqué.

Nous connaissons l'architecture de nos serveurs et les protections que
nous employons. Un programmeur ne va pas connaitre notre manière de
faire et/ou de protéger les scripts. Mettre en OFF n'est qu'une solution
de facilité.
Chaque client dispose d'un espace cloisonné où les utilisateurs gèrent
leur PHP en toute liberté.
L'ensemble des requêtes est contrôlé et géré pour prévenir un piratage.
Vous ne risquez strictement rien. Je prends la responsabilité pleine de
mes propos.

:-[

Joachim Müller

Quote from: isajade on June 25, 2009, 08:11:10 PM
Thank you for your reply. My webhost says that I'm perfectly safe with it turned ON.
Well, I told you what my I think about the quailty of your webhost's comments. They are just nonsense. However, this thread is not the correct place to discuss your individual issues.


Master of Disaster

What do you think? Is it worth the 10 € for turning off register_globals?

Joachim Müller

Quote from: Joachim Müller on June 25, 2009, 08:15:01 PM
this thread is not the correct place to discuss your individual issues.
The fact that your question was ignored in the first place obviuosly was not enough, so I have to reply accordingly: we don't know nor care. Personally, I wouldn't be ready to pay for a secure setup. If my webhoster would charge for a security-related setting I'd be looking for another webhost. But that's just my persaonal taste. Please stop the discussion of your inidvidual issues.

hobox


Fabricio Ferrero

Quote from: Abbas Ali on May 21, 2009, 04:56:39 AM
If you don't have control over the webserver and therefore can't do that, ask your webhost for support.  Most webhosts should be happy to help you turn register_globals "off" because it removes potential security holes in all PHP scripts.

This is a thread that is beeing pointed from the Config Panel and I don't think that more post should be added.

Locking.
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Joachim Müller

The warning message will be visible for the admin only, so there is no harm done for the visitors of your gallery. If the output of the message bothers you, turn it of by making your webhost disable the register_globals toggle as suggested alrerady. If you just want to silence the output, you haven't understood what we're discussing here. You should review the idea in that case to run a site of your own. Anway, we won't discuss this subject further.