Hi Guys,

I know i'm as dumb as a stump, but could someone walk me through turning this setting off. I have "the power" but not the intellect ;).

Thanks again in advance.

Make a file called php.ini
register_globals = "off"

Save it in your EE directory.

or .htaccess

with

php_flag register_globals off

Thanks guys, it worked a treat!

i have the php.ini in my root directory and it says
register_globals = off
post_max_size = 20M
memory_limit = 80M
upload_max_filesize = 20M
max_execution_time = 120
expose_php=off
allow_url_fopen = off

does this need to be in the ee directory?

cf

I got the same thing updated my .htaccess file and now I cannot log in to my admin page at all. It won't accept the default or the new username and password.

I got the same thing updated my .htaccess file and now I cannot log in to my admin page at all. It won't accept the default or the new username and password.

What if you take the .htaccess off (or revert it to what it was)?
If that works, then you must put the register_globals removal in php.ini.

racer,

i think i had this problem before when the htaccess file was in the ee directory. try removing it and see what happens.

pekka,

do you think that the php.ini in my root directory is working even though ee reports that it is not?

Ok, after looking at another thread regarding the cookies. I remember I changed it because the report wanted it changed.... so I put my domain name in. Bottom line is that if you want to log in, don't put anything other than letters as your cookie..

Thanks

i have this php.ini file in the ee directory;
allow_url_fopen = False ;
allow_url_fopen = false ;
register_globals = "off"
register_globals = Off
post_max_size = 20M
memory_limit = 80M
upload_max_filesize = 20M
max_execution_time = 120
expose_php=off
allow_url_fopen = off

and when i do the ee install check i still get these errors:
Allow opening of URL content (include/read) - allow_url_fopen: yes
$checkglobal = 1
WARNING: IT LOOKS LIKE REGISTER_GLOBALS IS ON!


and when i put these in a htaccess file i get a internal 500 error
php_flag register_globals off
allow_url_fopen = Off

What do you see in "server info / Display full PHP info"?

In some server setups php.ini is the only place where these switches may be placed.

hi pekka,

under "server info / Display full PHP info";


at php core i see:

allow_url_fopen On
register_globals On
under both local and master value. i had this problem with 1.5 and was hacked and then used php.ini file which seemed to plug the hole as i ran that test you had for the register_globals and it reported closed.

the host is lunar pages. should i find another host?

thanks
--------------------------
i just did your register_globals test for 1.5 and got the "x is not defined"
does this mean i am safe? i would be good to know before i spend anymore time on the site.

this is my php.ini in the ee directory
allow_url_fopen = False ;
allow_url_fopen = false ;
register_globals = "off"
register_globals = Off
post_max_size = 20M
memory_limit = 80M
upload_max_filesize = 20M
max_execution_time = 120
expose_php=off
allow_url_fopen = off

I received the same IT LOOKS LIKE REGISTER_GLOBALS IS ON! message, and contacted my hosting service (globat) to request that it be turned off.

They responded that they would not do it as it was a global setting which would affect all their users. Furthermore, they indicated that they don't support php.ini usage either, so that I cannot do it myself!

I have tried using .htaccess, but with it in place, I cannot access my site at all.

Am I out of luck and vulnerable to getting my site hacked? or are there other solutions that I might try increase my security?

David

I have done plenty to make sure EE 2 can not be hacked even with Register Globals = on. But there are always clever crackers out there who try and can find exploits, maybe. Also, globals on mean system environmental variables can override EE variables which can mean errors in output - I have tried to avoid that with renaming e.g. 1.5 variable "$lang" to "$ee_lang" in 2.0 et.c but nothing is foolproof.

but nothing is foolproof.
you can say that again... implementing a .htaccess file can very easily cause a site to not be accessible... those having problems using such need to check their syntax very closely...

david,

try a php.ini file in your ee directory and also in your admin directory. my host told me the same thing so i tried the php.ini in the ee folder but ee still reported globals as on. i just tried putting the php.ini in my admin adn now it says globals is off! my host also said to never use the globals off in a .htaccess

this is my php.ini file
register_globals = Off
allow_url_fopen = Off

I received the same IT LOOKS LIKE REGISTER_GLOBALS IS ON! message, and contacted my hosting service (globat) to request that it be turned off.

They responded that they would not do it as it was a global setting which would affect all their users. Furthermore, they indicated that they don't support php.ini usage either, so that I cannot do it myself!

I have tried using .htaccess, but with it in place, I cannot access my site at all.

Am I out of luck and vulnerable to getting my site hacked? or are there other solutions that I might try increase my security?

David

Adding php.ini to the admin directory seems to have done the trick. Now running the Install Check gives the following results:

42. Allow opening of URL content (include/read) - allow_url_fopen: n/a (possibly off)

43. REGISTER GLOBALS check:
If you see "$checkglobal=1" below, your server has register_globals on - you should contact your server admin ASAP and request that 'register_globals' should be set off! KEEPING register_globals ON IS A SEVERE SECURITY RISK, AND IT CAN ALSO PREVENT EE FUNCTIONING PROPERLY.

$checkglobal =

Previously, both allow_url_fopen and register_globals were listed as ON. Now they seem to be unknown. I hope this is good enough.

If I run the Server Information with full PHP info, it says these parameters are off both as master and local values.

David

If you just add it to the admin dir; isn't it so that only the admin dir is protected? And if so, you should add the php.ini to EACH dir under your EE main dir.

I have just completed the upgrade to 2.02

Register Globals is set to "on" by my hosting provider and I am unable to edit the main php.ini. I have followed this thread and tried a php.ini in the server root, EE root and EE admin directories.

Also I have tried the .htaccess but have forbidden errors like the other respondents.

The problem is that I cannot login to admin - After login, the page meerly states that register globals is on and I should change & login again.

If this is not a security risk Pekka, why is this not just an advisory rather than a block? Can I disable this block as I am prepared to accept the risk :)
Don't want to start hacking the code without asking if I am being a muppet first.

Thanks

"WARNING: IT LOOKS LIKE REGISTER_GLOBALS IS ON!" is not a blocking error, looks like your problem with admin load is elsewhere. Maybe a cookie problem?

Thanks Pekka

Problem was between the chair and the keyboard.

For anyone else having this problem, I had not completed the upgrade to 2.02 properly. Having changed the admin folder name the files had not copied properly and so the site was sitting at the "Register Globals" error message and not proceeding. Did the upgrade again and all ok.

Adding php.ini to the admin directory seems to have done the trick. Now running the Install Check gives the following results:


Previously, both allow_url_fopen and register_globals were listed as ON. Now they seem to be unknown. I hope this is good enough.

If I run the Server Information with full PHP info, it says these parameters are off both as master and local values.

David



Hello,

I have follow all the recommendations for everybody, create htaccess and php.ini files everywhere. And now after one week of fighting again the tricky for newbies, installation I have the version 2.02 on my ixwebhosting.com. Now still two errors, but one is like you David. Do you have some problem with this setting ? or you have find the problem ? :

45. REGISTER GLOBALS check:
If you see "$checkglobal=1" below, your server has register_globals on - you should contact your server admin ASAP and request that 'register_globals' should be set off! KEEPING register_globals ON IS A SEVERE SECURITY RISK, AND IT CAN ALSO PREVENT EE FUNCTIONING PROPERLY.

$checkglobal =


Perhaps it's from my hosting, I have ask to change that but this is the answer :

o disable register_globals locally, you may need to create .htaccess file in folder where you need r_g disabled with the following content:
php_value register_globals 0
If you have any troubles with LOCK privileges, just let us know database name, user name and exact privilege name (e.g. LOCK TABLE), so we can arrange settings for you.

I have done lot of time for go in this "final?" step and now I want use the gallery and stop to do computer science, but I want to be sure that I can put my pictures !!!

But the final word is EE is the best of the best tool that I have see for showing photos on the web. I have do lot of surch in the web and Pekka execpt the impossible installation, the setting, the option is very powerfull for photographer !!! Thanks a lot for your work !!

i think the only one who can answer the question as to whether or not your site is safe now would be peka or isp.

all i can say is that i have had 2.02 running since it came out under the same circumstances with no problems.

Thanks you Yosemite, it's cool to see that I'm not alone and I don't have loose my time during my long instalation experience. I wait more answers for the complete heaven !

45. REGISTER GLOBALS check:
If you see "$checkglobal=1" below, your server has register_globals on - you should contact your server admin ASAP and request that 'register_globals' should be set off! KEEPING register_globals ON IS A SEVERE SECURITY RISK, AND IT CAN ALSO PREVENT EE FUNCTIONING PROPERLY.

$checkglobal =


Perhaps it's from my hosting, I have ask to change that but this is the answer
ummm... i don't see a problem with the $checkglobal up there... there's not a one digit after the equals sign as specified in your quote...