Jump to content

SteveW

Members
 View Profile  See their activity

  • Posts

    129

  • Joined

  • Last visited

 Content Type 

Everything posted by SteveW

  1. SteveW
    Hello, everyone. I'm trying to work out what changes my site will need if I transfer it to TCH. It looked like "not many changes" until I started reviewing my PHP settings. Much of this post is just to determine if my proposed changes are correct... I'm currently on a server running suPHP. That probably reveals (but not to me!) whether PHP is "running as CGI or Apache module", but the end result is that currently I do have my own php.ini file, which uses the following settings, which are as secure as I could make them while still allowing SMF Forum 1.1.4 to run properly. (Some settings omitted here for security): allow_url_fopen = Off disable_functions = exec,shell_exec, ... and a dozen more display_errors = Off display_startup_errors = Off error_log = /home/userID/{pathandfile} error_reporting = E_ALL file_uploads = On log_errors = On register_globals = Off As I understand it, TCH runs PHP in such a way that a single php.ini file serves all accounts on the server. However, the following settings can be done in .htaccess, as follows: php_flag display_errors Off php_flag display_startup_errors Off php_flag log_errors On php_flag register_globals Off php_value error_log /home/userID/{pathandfile} php_value error_reporting E_ALL That leaves the following ones, which can't be set in .htaccess: 1) allow_url_fopen = Off I consider it important for security because I get many RFI attacks. However, I did make an equivalent .htaccess workaround that might be useful for others. It denies any HTTP request where the URL query string contains "=http://" or "=ftp://" : RewriteCond %{QUERY_STRING} ^.*=(ht|f)tp\://.*$ [NC] # The following line allows your own IP to use this type of query string, when you need it. #RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$ [NC] RewriteRule .* - [F,L] 2) On TCH servers, is the following one On, since many scripts (including SMF) require it?: file_uploads = On 3) That finally leaves this, which can only be set in the server's php.ini or httpd.conf. I don't use the functions I've disabled, but most exploit scripts DO use them, so disabling them is desirable: disable_functions = exec,shell_exec, and a dozen more Can anyone think of a way to make this possible? Somewhere on this forum I encountered the following phrase: "a separate PHP.INI in every directory to override the default". Is that a usable option? If I did put my own php.ini in every directory, would the system use it?
×
×
  • Create New...