Localhost, PHP, and register_globals...and of course TxP

Destry · 2005-11-07 16:08:12

Since updating all my local sites to 4.0.2, I’ve been getting a diagnostics error saying I need to either turn off <code>register_globals</code> or upgrade PHP.

My local setup is XAMPP. My php is 5.0.4, which I think is fine, so I’ve looked into the <code>register_globals</code> thing. Between PHP4 and PHP5 in XAMPP, there are about 8 different <code>ini</code> files. Naturally I started looking at the PHP5 versions first. In the end, I’ve gone through every one (including those in PHP4, just for the heck of it) and turned the <code>register_globals</code> off where I found it to be on. However, I still have the diagnostic error.

If I try and uncomment the <code>#php_value register_globals 0</code> line in the <em>.htaccess</em> file for the TxP install, then I get a 500 Internal Server error. Maybe that’s the wrong <em>.htaccess</em>, but I don’t see any in XAMPP anywhere.

I’m not too concerned about this because they are not production sites, but still…any ideas how to kill that diagnostic?
While you are at it, ideas about that path not writable diagnostic too?

Diagnostics of one example:

Textpattern version: 4.0.2 (r1076)
Last Update: 2005-11-02 16:03:58/2005-11-02 15:56:00
Document root: C:/_txp/wion (C:\_txp\wion)
$path_to_site: C:\_txp\wion
Textpattern path: C:\_txp\wion\textpattern
Permanent link mode: section_title
upload_tmp_dir: .;c:\apachefriends\xampp\tmp
Temp folder: C:\_txp\wion\textpattern\tmp
Site URL: local.wion.com
PHP version: 5.0.4
Register globals: 1
server_time: 2005-11-07 16:56:06
MySQL: 4.1.12
Locale: en_US.UTF-8
Server: Apache/2.0.54 (Win32) mod_ssl/2.0.54 OpenSSL/0.9.7g PHP/5.0.4
Apache version: Apache/2.0.54 (Win32) mod_ssl/2.0.54 OpenSSL/0.9.7g PHP/5.0.4

Pre-flight check:
_
File Upload Path is not writable: /var/tmp
Your version of PHP has security related risks. Please turn register_globals off or update to a newer PHP version.
_
.htaccess file contents:
_
#DirectoryIndex index.php index.html
#Options +FollowSymLinks
#RewriteBase /relative/web/path/

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) – [PT,L]

RewriteRule ^(.*) index.php </IfModule>

#php_value register_globals 0

Last edited by Destry (2005-11-07 16:14:28)

Sencer · 2005-11-07 16:31:05

This is for security reasons, if it’s a local install and only you can access it, you can ignore the message.

If you click on the “?” icon next to the diagnostics you’ll find some basic info and a link to the adivsory.

Destry · 2005-11-07 17:39:34

If you click on the “?” icon next to the diagnostics you’ll find some basic info and a link to the adivsory.

Yeah, followed all that…no change.

I won’t worry about it since it’s not live stuff. Just have a penchant for clean diagnostics is all ;)

Does everybody who uses XAMPP have this problem with 4.0.2?

andreas · 2005-11-07 21:41:37

Well, I’ve got the same warning about register globals etc. on my live sites.

So what to do? Is this something serious?

Last edited by andreas (2005-11-07 21:43:13)

HedgeHog · 2005-11-07 21:52:31

I got the message using xampp and 4.02. Just like you, I am a bit of a clean freak when it come to diagnostics. I just turned register gobals off in the php.ini file.

zem · 2005-11-07 22:39:35

Is this something serious?

Yes. It’s a major PHP security issue that potentially affects all scripts. We’ve done as much as we can to minimize the problem within Textpattern, but it seems it’s not possible to solve entirely within an application. You should definitely turn it off if you can.

Sencer · 2005-11-07 23:15:02

If it’s mod_php you have to restart Apache before any changes to php.ini take effect. Maybe that’s what happened.

andreas · 2005-11-08 13:43:54

I’m on a hosted server so should I contact my host?

Sencer · 2005-11-08 14:19:29

Have you tried the line in .htaccess? If that doesn’t work, then I would suggest asking your host how you can change this setting.

andreas · 2005-11-08 14:39:22

I get an internal server error when I uncomment the line in .htaccess. So I’m going to ask my host if they can change this.

Can I point them to some security bulletin to underline my point?

Sencer · 2005-11-08 14:48:33

Original advisory: http://www.hardened-php.net/advisory_202005.79.html
There is also a note on php.net and in the Changelog for 4.4.1.

German article: http://www.heise.de/newsticker/meldung/65598

andreas · 2005-11-08 15:05:39

Thanks.

Textpattern CMS

Textpattern CMS support forum

#1 2005-11-07 16:08:12

Localhost, PHP, and register_globals...and of course TxP

#2 2005-11-07 16:31:05

Re: Localhost, PHP, and register_globals...and of course TxP

#3 2005-11-07 17:39:34

Re: Localhost, PHP, and register_globals...and of course TxP

#4 2005-11-07 21:41:37

Re: Localhost, PHP, and register_globals...and of course TxP

#5 2005-11-07 21:52:31

Re: Localhost, PHP, and register_globals...and of course TxP

#6 2005-11-07 22:39:35

Re: Localhost, PHP, and register_globals...and of course TxP

#7 2005-11-07 23:15:02

Re: Localhost, PHP, and register_globals...and of course TxP

#8 2005-11-08 13:43:54

Re: Localhost, PHP, and register_globals...and of course TxP

#9 2005-11-08 14:19:29

Re: Localhost, PHP, and register_globals...and of course TxP

#10 2005-11-08 14:39:22

Re: Localhost, PHP, and register_globals...and of course TxP

#11 2005-11-08 14:48:33

Re: Localhost, PHP, and register_globals...and of course TxP

#12 2005-11-08 15:05:39

Re: Localhost, PHP, and register_globals...and of course TxP

Board footer