forum.coppermine-gallery.net

No Support => Announcements => Topic started by: Abbas Ali on May 21, 2009, 04:56:39 am

Title: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: Abbas Ali on May 21, 2009, 04:56:39 am
Having the PHP setting register_globals (http://www.php.net/manual/en/ini.core.php#ini.register-globals) enabled on your webserver is a bad idea in terms of security. It's strongly recommended to turn it off. If you don't have control over the webserver and therefore can't do that, ask your webhost for support.  Most webhosts should be happy to help you turn register_globals "off" because it removes potential security holes in all PHP scripts.  In addition, register_globals has been marked a feature to be removed in the next version of PHP and so all scripts need to work with register_globals "off" in the near future.  Some webhosts have a simple way to change the register_globals setting on the webhost's control panel. If the webserver is yours to administer (i.e. if you're self-hosting, which the dev team does not recommend), you need to edit php.ini, find the line that starts with register_globals and edit it accordingly. Save your changes and restart the webserver service/daemon.

Do not ask how to turn register_globals off in this thread nor in other threads on this forum, as we don't know how your webserver is set up and therefore can't answer that question. Usually, you are not able to change that in the first place if you're webhosted, but only your webhost can change it for you. The only place to ask for help is your webhost. Older, badly-written scripts may require register_globals to be enabled. Coppermine is not one of those scripts that require register_globals "on".  Although Coppermine works with register_globals turned on or off, it is strongly recommended to turn register_globals off.

In general, register_globals set to "on" might result in your site getting hacked!

For technical information about the security implications of register_globals, go to this page (http://www.php.net/manual/en/security.globals.php) (on PHP.net).
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: Master of Disaster on June 25, 2009, 01:06:59 pm
I asked my webhoster to turn off register_globals. It would cost me 10 € to change this parameter. Is it worth the 10 €?
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: isajade on June 25, 2009, 07:34:18 pm
My webhost replied that it would turn off many securised scripts.

To keep it ON that have many protections, so it's not a problem.

Quote
Mettre en OFF register_globals bloque de nombreux scripts qui sont
pourtant sécurisés.
Afin de permettre de garder la variable ON, nous avons d'autres
protections bien plus efficaces.

Aucun souci donc.

 :-\
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: Joachim Müller on June 25, 2009, 07:44:46 pm
My webhost replied that it would turn off many securised scripts.
That's nonsense IMO.
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: isajade on June 25, 2009, 08:11:10 pm
Thank you for your reply. My webhost says that I'm perfectly safe with it turned ON.

(sorry his reply is in French)
Quote
Ce n'est pas une fadaise, c'est une réalité. Certains scripts ont besoin
de register_globals.
Malheureusement je ne peux pas la mettre en ON sur le serveur. Sinon de
nombreux clients vont être bloqué.

Nous connaissons l'architecture de nos serveurs et les protections que
nous employons. Un programmeur ne va pas connaitre notre manière de
faire et/ou de protéger les scripts. Mettre en OFF n'est qu'une solution
de facilité.
Chaque client dispose d'un espace cloisonné où les utilisateurs gèrent
leur PHP en toute liberté.
L'ensemble des requêtes est contrôlé et géré pour prévenir un piratage.
Vous ne risquez strictement rien. Je prends la responsabilité pleine de
mes propos.

 :-[
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: Joachim Müller on June 25, 2009, 08:15:01 pm
Thank you for your reply. My webhost says that I'm perfectly safe with it turned ON.
Well, I told you what my I think about the quailty of your webhost's comments. They are just nonsense. However, this thread is not the correct place to discuss your individual issues.
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: isajade on June 25, 2009, 08:16:34 pm
Sorry, thank you.  :-X
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: Master of Disaster on July 01, 2009, 03:11:13 pm
What do you think? Is it worth the 10 € for turning off register_globals?
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: Joachim Müller on July 01, 2009, 04:06:38 pm
this thread is not the correct place to discuss your individual issues.
The fact that your question was ignored in the first place obviuosly was not enough, so I have to reply accordingly: we don't know nor care. Personally, I wouldn't be ready to pay for a secure setup. If my webhoster would charge for a security-related setting I'd be looking for another webhost. But that's just my persaonal taste. Please stop the discussion of your inidvidual issues.
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: hobox on July 15, 2009, 08:22:19 pm
Is there a way to turn off the warning?
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: Fabricio Ferrero on July 16, 2009, 12:49:12 am
If you don't have control over the webserver and therefore can't do that, ask your webhost for support.  Most webhosts should be happy to help you turn register_globals "off" because it removes potential security holes in all PHP scripts.

This is a thread that is beeing pointed from the Config Panel and I don't think that more post should be added.

Locking.
Title: Re: [WARNING] : PHP setting register_globals should be disabled on your server
Post by: Joachim Müller on October 27, 2009, 12:53:53 pm
The warning message will be visible for the admin only, so there is no harm done for the visitors of your gallery. If the output of the message bothers you, turn it of by making your webhost disable the register_globals toggle as suggested alrerady. If you just want to silence the output, you haven't understood what we're discussing here. You should review the idea in that case to run a site of your own. Anway, we won't discuss this subject further.