Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [WARNING] : PHP setting register_globals should be disabled on your server  (Read 352844 times)

0 Members and 1 Guest are viewing this topic.

Abbas Ali

  • Administrator
  • Coppermine addict
  • *****
  • Country: in
  • Offline Offline
  • Gender: Male
  • Posts: 2165
  • Spread the PHP Web
    • Ranium Systems

Having the PHP setting register_globals enabled on your webserver is a bad idea in terms of security. It's strongly recommended to turn it off. If you don't have control over the webserver and therefore can't do that, ask your webhost for support.  Most webhosts should be happy to help you turn register_globals "off" because it removes potential security holes in all PHP scripts.  In addition, register_globals has been marked a feature to be removed in the next version of PHP and so all scripts need to work with register_globals "off" in the near future.  Some webhosts have a simple way to change the register_globals setting on the webhost's control panel. If the webserver is yours to administer (i.e. if you're self-hosting, which the dev team does not recommend), you need to edit php.ini, find the line that starts with register_globals and edit it accordingly. Save your changes and restart the webserver service/daemon.

Do not ask how to turn register_globals off in this thread nor in other threads on this forum, as we don't know how your webserver is set up and therefore can't answer that question. Usually, you are not able to change that in the first place if you're webhosted, but only your webhost can change it for you. The only place to ask for help is your webhost. Older, badly-written scripts may require register_globals to be enabled. Coppermine is not one of those scripts that require register_globals "on".  Although Coppermine works with register_globals turned on or off, it is strongly recommended to turn register_globals off.

In general, register_globals set to "on" might result in your site getting hacked!

For technical information about the security implications of register_globals, go to this page (on PHP.net).
« Last Edit: May 21, 2009, 05:33:07 PM by Joachim Müller »
Logged
Chief Geek at Ranium Systems

Master of Disaster

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 22

I asked my webhoster to turn off register_globals. It would cost me 10 € to change this parameter. Is it worth the 10 €?
Logged

isajade

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Female
  • Posts: 67

My webhost replied that it would turn off many securised scripts.

To keep it ON that have many protections, so it's not a problem.

Quote
Mettre en OFF register_globals bloque de nombreux scripts qui sont
pourtant sécurisés.
Afin de permettre de garder la variable ON, nous avons d'autres
protections bien plus efficaces.

Aucun souci donc.

 :-\
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

My webhost replied that it would turn off many securised scripts.
That's nonsense IMO.
Logged

isajade

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Female
  • Posts: 67

Thank you for your reply. My webhost says that I'm perfectly safe with it turned ON.

(sorry his reply is in French)
Quote
Ce n'est pas une fadaise, c'est une réalité. Certains scripts ont besoin
de register_globals.
Malheureusement je ne peux pas la mettre en ON sur le serveur. Sinon de
nombreux clients vont être bloqué.

Nous connaissons l'architecture de nos serveurs et les protections que
nous employons. Un programmeur ne va pas connaitre notre manière de
faire et/ou de protéger les scripts. Mettre en OFF n'est qu'une solution
de facilité.
Chaque client dispose d'un espace cloisonné où les utilisateurs gèrent
leur PHP en toute liberté.
L'ensemble des requêtes est contrôlé et géré pour prévenir un piratage.
Vous ne risquez strictement rien. Je prends la responsabilité pleine de
mes propos.

 :-[
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

Thank you for your reply. My webhost says that I'm perfectly safe with it turned ON.
Well, I told you what my I think about the quailty of your webhost's comments. They are just nonsense. However, this thread is not the correct place to discuss your individual issues.
Logged

isajade

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Gender: Female
  • Posts: 67

Sorry, thank you.  :-X
Logged

Master of Disaster

  • Coppermine novice
  • *
  • Offline Offline
  • Gender: Male
  • Posts: 22

What do you think? Is it worth the 10 € for turning off register_globals?
« Last Edit: July 01, 2009, 04:09:09 PM by Master of Disaster »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de

this thread is not the correct place to discuss your individual issues.
The fact that your question was ignored in the first place obviuosly was not enough, so I have to reply accordingly: we don't know nor care. Personally, I wouldn't be ready to pay for a secure setup. If my webhoster would charge for a security-related setting I'd be looking for another webhost. But that's just my persaonal taste. Please stop the discussion of your inidvidual issues.
Logged

hobox

  • Coppermine newbie
  • Offline Offline
  • Posts: 7

Is there a way to turn off the warning?
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1997
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/

If you don't have control over the webserver and therefore can't do that, ask your webhost for support.  Most webhosts should be happy to help you turn register_globals "off" because it removes potential security holes in all PHP scripts.

This is a thread that is beeing pointed from the Config Panel and I don't think that more post should be added.

Locking.
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: [WARNING] : PHP setting register_globals should be disabled on your server
« Reply #11 on: October 27, 2009, 01:53:53 PM »

The warning message will be visible for the admin only, so there is no harm done for the visitors of your gallery. If the output of the message bothers you, turn it of by making your webhost disable the register_globals toggle as suggested alrerady. If you just want to silence the output, you haven't understood what we're discussing here. You should review the idea in that case to run a site of your own. Anway, we won't discuss this subject further.
Logged
Pages: [1]   Go Up
 

Page created in 0.077 seconds with 20 queries.