Jump to content

[Solved] php.ini - Please can I get access to this configuration file?

usgfx42

By usgfx42
in Escalated Requests

 Share

Recommended Posts

usgfx42 Newbie

usgfx42

Posted
Posted

-    php.ini     -

Please can I get access to this configuration file?

 

 LINK TO TEST.PHP  INFO

 

 HelioHost | Johnny

Current User usgfx42 Primary Domain usgfx.com.usgfx.cz Shared IP Address 65.19.141.67

Home Directory /home/usgfx42

 

 

Please If not can I get some things enabled / changed below ?   

 

 

 

 

core ; allow_url_include       ON

 

core : display errors               ON

 

core : disable functions     NO VALUE

 

core : enable dl                  ON

 

core : expose_php               ON

 

core : max_execution_time  300

 

core : max_input_time           300

 

core : register_argc_argv        OFF

 

core : sendmail_from            wwwuser@cgi.yourhostingaccount.com

 

core : SMPT                        mail.yourhostingaccount.com

 

core : Variables Order           EGPCS

 

 

curl :    GSS-Negotiate    YES

curl  :  IDN                    YES

 

 

session :  session.gc_divisor         1000

session :  session.gc_probability       1

session : session.use_trans_sid           1

 

 

mbstring  mbstring.http_input     PASS      PASS

mbstring  mbstring.http_output       PASS      PASS

 

 

standard : url_rewriter.tags              fieldset=

 

 

 

Thank you advance for your help, time and prompt response,

 

E.I.

service [at] usgfx.cz

wolstech Grand Master

wolstech

Posted
Posted

Some of those suggested settings are security issues...even if Krydos can change some, I can say for certain we’re not going to put 300 second execution timeouts or blank the disable functions line...

Krydos Grand Master

Krydos

Posted
Posted

I honestly haven't even read through the list yet, because it's irrelevant until I know which version of php we're even talking about.

 

I should also mention that if you want to edit your own php.ini or use insecure functions like exec() you won't be able to do that on a shared hosting account like you have, but you can do so on a vps https://www.heliohost.org/vps/

Krydos Grand Master

Krydos

Posted
Posted

allow_url_include ON

It's already on.

 

display errors ON

It's already on.

 

disable functions NO VALUE

The functions that are disabled are going to stay disabled because they are a security risk on a shared hosting plan.

 

enable dl ON

It's a security vulnerability to have this on.

 

expose_php ON

This would allow criminals to see the vulnerabilities of our php version. Why do you even think you need this on?

 

max_execution_time 300

Max execution time is intentionally kept low to help keep the server load low. If each php process was allowed to run for 5 minutes all of the server memory would be consumed even more easily, and the server would have even more downtime than it already does.

 

max_input_time 300

Max input time is intentionally kept low to help keep the server load low. It's a terrible idea for uptime to set this much higher than it already is.

 

register_argc_argv OFF

If this was disabled you wouldn't be able to pass arguments to php on the command line which would make a lot of cron jobs stop working. It would increase performance slightly though so I'm tempted. Why does it matter to you if you can pass arguments on the command line anyways?

 

sendmail_from wwwuser@cgi.yourhostingaccount.com

So you want literally everyone's emails on the entire server to look like they are coming from your account? I don't think you even know what you're asking for. Where did you copy/paste this list from? It's obviously settings that are meant to be run on a vps, not shared hosting.

 

SMPT mail.yourhostingaccount.com

Same as above.
Krydos Grand Master

Krydos

Posted
Posted

Variables Order           EGPCS

It's currently set to GPCS which is default. The E is a performance hit to list in this directive, and you can access it via the getenv() function anyways if you really need it which most people don't.

 

curl :    GSS-Negotiate    YES

I think you can just set it via the curl CURLAUTH_GSSNEGOTIATE option. That's a pretty obscure one.

 

curl  :  IDN                    YES

This would require compiling curl from source which would undoubtedly break other things. I prefer to keep everything supported through the package manager if at all possible.

 

session :  session.gc_divisor         1000

Cpanel disables this by default for, what I assume is, performance increases.

 

session :  session.gc_probability       1

Cpanel disables this by default for, what I assume is, performance increases.

 

session : session.use_trans_sid           1

This is a security risk. Cookie based sessions are more secure than URL based sessions.

 

mbstring  mbstring.http_input     PASS

I think this is already set.

 

mbstring  mbstring.http_output       PASS

I think this is already set.

 

url_rewriter.tags              fieldset=

I'm not sure what this is supposed to mean. The default value is "a=href,area=href,frame=src,input=src,form=fakeentry". This option is related to the URL sessions that I listed above as being a security risk.

 

Overall, I really think that whatever software you're trying to run is going to require a vps if it really needs all of these insecure settings. Luckily for you we provide those.

usgfx42 Newbie

usgfx42

Posted
  • Author
Posted (edited)

PHP.ini Please can I get the includes turned on at least please .. ? 

 

 

 

Sorry to bother you again with this.... but... 

 

Thank you for the prompt responses...and the included security tutorial!

 

...you guys are G R 8 !  

 

 

 

Im not an expert like you so I apologize If I turned on all the whistles and bells for a security breach at helio...

 

but all i did was copy the params that I used to have on my other server and these were then things that differed..  

again I sincerely apologize..

 

needless to say...

 

for this but i cant seem to get things to go without the includes,...

 

 

PHP Version 5.6.38

 

Core

 

allow_url_fopen                     On                On

 

allow_url_include                   Off                 Off

 

 

maybe I am just seeing this OFF that are really actually ON?

 

 

Thank you again for your time and help...  E.

 

 

 

 

                            the test link for my server johnny php.ini that i get the includes are OFF ...

 

heres test link  for your krydos.heliohost.org72/phpinfo.php  includes are OFF ...aswell

 

 

 

 

phpini_johnny_2018-12-10_8-07-46AAA.jpg

 

 

 

 

===========================================================================================================================================

 

 

 

 

 

 

krydos_phpini_2018-12-10_8-11-30AAA.jpg

Edited by usgfx42
Krydos Grand Master

Krydos

Posted
Posted

I'm sorry. For some reason when I was writing that earlier I read it as allow_url_fopen not allow_url_include. We allow a lot of easily hacked software, most notably wordpress, run on our servers, and allowing hackers to include malicious code hosted on another server is a security risk. We can control our own servers pretty well, but allowing users to execute code on some other server that may or may not have any security could be a problem if the remote code is changed by a hacker. Why do you need to include remote code? Why not just upload it to our server and include it locally?

Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...