Comments |
Re: Modify Php Settings With .htaccess File
|
Thanks, it is really useful, I'll move to docs section.
MG, have you thought about, in the file .htaccess, add something to block the characters below?
Why should I block these?
Not all of these requests may be dangerous... :roll:
I can't lock all these kind of requests, because someone may need them for other scripts on their sites.
|
Mighty Gorgon [ Sat 25 Aug, 2007 18:34 ]
|
|
Re: Modify Php Settings With .htaccess File
|
Many thanks, novice programmer, very useful! :up:
|
buldo [ Sun 26 Aug, 2007 00:12 ]
|
|
Re: Modify Php Settings With .htaccess File
|
Thanks, it is really useful, I'll move to docs section.
MG, have you thought about, in the file .htaccess, add something to block the characters below?
Why should I block these?
Not all of these requests may be dangerous... :roll:
I can't lock all these kind of requests, because someone may need them for other scripts on their sites.
About the < and >: With the <HTML TEXT> you can insert a script at the adress. I konw you have blocked all script tags on the url, but it could be ofuscated... it´ll become this way: <D5%110%25%2001%20%>. For my POV this is a security issue.
For possible hackers: The numbers have been selected at ramdom, and them won´t work in a page.
About the ': I know ctraker blocks them, but if someone can insert into the url a code for not-ctraker loading...
About the ": Php code could being edited with them
And about the { and }: I don´t know any page which use them, so they could be blocked.
MG, if you found this risky, you can upload them as a customization, so users could decide.
You can add this to the acronyms:
POV = Point Of View
|
novice programmer [ Sun 26 Aug, 2007 21:36 ]
|
|
Re: Modify Php Settings With .htaccess File
|
Yes of course it is a matter of POV :wink: !
In my opinion scripts must be secured against these kind of requests, but I wouldn't block everything just because they may be dangerous.
If a script is well coded, then these measures will be unuseful.
There are always two extreme ways in adopting securities measures:
- Block everything may be dangerous...
- Try to guess at runtime what may be dangerous and eventually block unsecure scripts...
If you need something flexible, you should allow some vars being processed, but escaped where needed.
In PHP there are many functions for this, such as urlencode, raw_urlencode, htmlspecialchars and so on that are there just to prevent injections.
As you can see in major packages none of them is blocking so strictly some chars.
What I did in Icy Phoenix was to secure http requests by blocking injections via globals... so phpbb_root_path is blocked because it may be exposed to RFI (Remote File Inclusions) in those servers with globals enabled.
Anyway I really appreciate your point of view, and I hope you will post more of this, maybe someone will decide to follow your "hard" way and include a more strict htaccess to their sites.
Can you create a new htaccess including all these measures?
|
Mighty Gorgon [ Mon 27 Aug, 2007 21:07 ]
|
|
Re: Modify Php Settings With .htaccess File
|
Yes of course it is a matter of POV :wink: !
In my opinion scripts must be secured against these kind of requests, but I wouldn't block everything just because they may be dangerous.
......
Can you create a new htaccess including all these measures?
I asked you because i know something about php, but not about .htaccess files.
|
novice programmer [ Tue 28 Aug, 2007 00:07 ]
|
|
Re: Modify Php Settings With .htaccess File
|
If you recive a error like this:
Allowed memory size of (number1) bytes exausted when tried to allocate (number2) bytes on (file)
And "number1" is smaller than "number2", that´s because icy don´t has been configured for a smaller Php allowed memory usage, that is cofigurated in most servers. For solving that:
OPEN "board_root"/.htaccess
FIND
#php_value memory_limit 32M
REPLACE WITH
php_value memory_limit 32M
Important: the 32 can be any other number, but it has to be a multiple of 8.
A simple test (actual limit is 12M, I tried 32MB) on my host has returned this error (500):
Quote: Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Is there any other setting to modify? :roll:
|
buldo [ Tue 28 Aug, 2007 09:09 ]
|
|
Re: Modify Php Settings With .htaccess File
|
Your server does not support that value. They set up that value on on every account by default
|
Zuker [ Tue 28 Aug, 2007 13:17 ]
|
|
Re: Modify Php Settings With .htaccess File
|
Your server does not support that value. They set up that value on on every account by default
As I supposed :x
Thanks, Zuker
|
buldo [ Tue 28 Aug, 2007 13:32 ]
|
|
Re: Modify Php Settings With .htaccess File
|
....
A simple test (actual limit is 12M, I tried 32MB) on my host has returned this error (500):
...
I have only tested the 8M multiples.
Notice that you have only to set the M for Megabyte. If you put MB, it won´t work.
|
novice programmer [ Tue 28 Aug, 2007 22:49 ]
|
|
Re: Modify Php Settings With .htaccess File
|
Notice that you have only to set the M for Megabyte. If you put MB, it won´t work.
I know. I've tried with 32M, but most problably Zuker is right :(
|
buldo [ Tue 28 Aug, 2007 23:10 ]
|
|
Re: Modify Php Settings With .htaccess File
|
buldo, you don't need to set it via HTACCESS, because you can set it via PHP on your server...
Why you want to raise Memory Limit? Are you having white pages or some other warning?
_______________
Yes of course it is a matter of POV :wink: !
In my opinion scripts must be secured against these kind of requests, but I wouldn't block everything just because they may be dangerous.
......
Can you create a new htaccess including all these measures?
I asked you because i know something about php, but not about .htaccess files.
When I have some free time I'll try to have a play to show you how to block some special chars.
If you have time, there are several sites which helps users in coding their HTACCESS.
|
Mighty Gorgon [ Wed 29 Aug, 2007 00:52 ]
|
|
Re: Modify Php Settings With .htaccess File
|
buldo, you don't need to set it via HTACCESS, because you can set it via PHP on your server...
Why you want to raise Memory Limit? Are you having white pages or some other warning?
I've got a "Memory execed limit" with "Rebuild search index" in ACP->DB Maintenance, using the standard IP parameters.
I must reduce "Max post size" in ACP->DB Maintenance->Configuration to 250 to complete the task.
I've also tried to insert "ini_set('memory_limit','32M');" in config.php as suggested on other post, but the error remains.
Ciao,
|
buldo [ Wed 29 Aug, 2007 09:01 ]
|
|
Re: Modify Php Settings With .htaccess File
|
...............
A simple test (actual limit is 12M, I tried 32MB) on my host has returned this error (500):
..........
If can´t set memory at 32M, try with 16M, and if it doesn´t work, set it at 12M. Try it out with the two ways.
I recomend setting up at a multiple of 8M becase that are the valves I´ve tested. You can try with the ones you want.
|
novice programmer [ Thu 30 Aug, 2007 23:30 ]
|
|
Re: Modify Php Settings With .htaccess File
|
Actual limit is 12M. I've also tried 16M, but it doesn't work.
Anyway, thanks for your tips. :up:
|
buldo [ Fri 31 Aug, 2007 00:17 ]
|
|
|