Bypass php.ini
Moderator: General Moderators
-
jclarkkent2003
- Forum Contributor
- Posts: 123
- Joined: Sat Dec 04, 2004 9:14 pm
Bypass php.ini
Hello,
I am wondering how I can bypass the settings I set in my php.ini.
I have a server with my sites on it and shared hosting, I have ALLOW_URL_FOPEN = OFF
and
ALLOW_HTTP_UPLOADS = OFF
because I don't want my users getting hacked, but I have a secret hidden website domain that only i know about and I use it for testing CONSTANTLY.
I need to know how I can bypass those settings ONLY on A SINGLE DOMAIN or a very small list of domains.
I know about ini_set(), but that does not work for ALLOW_URL_FOPEN and ALLOW_HTTP_UPLOADS , my friend tells me you can bypass it another way via CURL or something, can someone help me out please? I also disabled a handfull of commands like cmd(), shell_exec(), and exec() as well as some more as protection to make sure it doesn't get hacked hopefully.
Thank you very much.
I am wondering how I can bypass the settings I set in my php.ini.
I have a server with my sites on it and shared hosting, I have ALLOW_URL_FOPEN = OFF
and
ALLOW_HTTP_UPLOADS = OFF
because I don't want my users getting hacked, but I have a secret hidden website domain that only i know about and I use it for testing CONSTANTLY.
I need to know how I can bypass those settings ONLY on A SINGLE DOMAIN or a very small list of domains.
I know about ini_set(), but that does not work for ALLOW_URL_FOPEN and ALLOW_HTTP_UPLOADS , my friend tells me you can bypass it another way via CURL or something, can someone help me out please? I also disabled a handfull of commands like cmd(), shell_exec(), and exec() as well as some more as protection to make sure it doesn't get hacked hopefully.
Thank you very much.
sample from apache's httpd.conf how we disable safe_mode etc for a given directory (for a host, you would be the same principle)
Code: Select all
<Directory /home/org/oker/services/www/site/foto>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>-
jclarkkent2003
- Forum Contributor
- Posts: 123
- Joined: Sat Dec 04, 2004 9:14 pm
Hi,
I tried that as:
<Directory /home/USERNAME/public_html/testingfiles/t123>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>
AND/OR
<Directory /home/USERNAME/public_html/testingfiles/t123/>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>
oh, my bad, your supposed to place that in the httpd.conf, I thought it went into the .htaccess.
Is there any other ways? I can try logging in and messing with .htaccess later today but I'd like to see ALL the ways and if there are any others.
Thanks.
I tried that as:
<Directory /home/USERNAME/public_html/testingfiles/t123>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>
AND/OR
<Directory /home/USERNAME/public_html/testingfiles/t123/>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>
oh, my bad, your supposed to place that in the httpd.conf, I thought it went into the .htaccess.
Is there any other ways? I can try logging in and messing with .htaccess later today but I'd like to see ALL the ways and if there are any others.
Thanks.
-
jclarkkent2003
- Forum Contributor
- Posts: 123
- Joined: Sat Dec 04, 2004 9:14 pm
didn't I mention I tried INI_SET() ? Did you get it to work?
http://us2.php.net/manual/en/function.ini-set.php
I tried:
ini_set("allow_url_fopen",1); and it did not work for me, and the reason I believe is because php has ACCESS rules, which they have on that page I pasted, a chart of the rules and where the value can be changed.
allow_url_fopen "1" PHP_INI_SYSTEM
How do I change this from a website's directory ? I can change the values when it is set to "PHP_INI_PERDIR" or "PHP_INI_ALL", but when it is setup as "PHP_INI_SYSTEM", I personally could not get it to work.
If you can test it and tell me that would be great.
You can get the default value by:
<?
echo "SET DEFAULT AS: getenv(\"allow_url_fopen\") <br>";
ini_set("allow_url_fopen",1);
echo "NEW SETTING: getenv(\"allow_url_fopen\") <br>";
?>
paste that into a script and see what you get. That is if it is off on your server, if it's already on then change the ini_set("allow_url_fopen",1); to ini_set("allow_url_fopen",0);
http://us2.php.net/manual/en/function.ini-set.php
I tried:
ini_set("allow_url_fopen",1); and it did not work for me, and the reason I believe is because php has ACCESS rules, which they have on that page I pasted, a chart of the rules and where the value can be changed.
allow_url_fopen "1" PHP_INI_SYSTEM
How do I change this from a website's directory ? I can change the values when it is set to "PHP_INI_PERDIR" or "PHP_INI_ALL", but when it is setup as "PHP_INI_SYSTEM", I personally could not get it to work.
If you can test it and tell me that would be great.
You can get the default value by:
<?
echo "SET DEFAULT AS: getenv(\"allow_url_fopen\") <br>";
ini_set("allow_url_fopen",1);
echo "NEW SETTING: getenv(\"allow_url_fopen\") <br>";
?>
paste that into a script and see what you get. That is if it is off on your server, if it's already on then change the ini_set("allow_url_fopen",1); to ini_set("allow_url_fopen",0);
-
jclarkkent2003
- Forum Contributor
- Posts: 123
- Joined: Sat Dec 04, 2004 9:14 pm
suPHP.org
I will look into that, It will help out.
How about any other ways?
I KNOW for FACT that my friend without ANY shell access at all, no exec, cmd, system, shell_exec commands, can bypass ANY settings regardless, he can turn off safemode, allow url fopen, allow http uploads, and re enable any settings like "exec, cmd, system, shell_exec commands" that were specifically disabled in the php.ini file.
He will NOT tell me how but he said there are MANY ways and he told me to look into cURL extensions.
Anyone?
I will look into that, It will help out.
How about any other ways?
I KNOW for FACT that my friend without ANY shell access at all, no exec, cmd, system, shell_exec commands, can bypass ANY settings regardless, he can turn off safemode, allow url fopen, allow http uploads, and re enable any settings like "exec, cmd, system, shell_exec commands" that were specifically disabled in the php.ini file.
He will NOT tell me how but he said there are MANY ways and he told me to look into cURL extensions.
Anyone?
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
This doesnt sound like a friend at all loljclarkkent2003 wrote:suPHP.org
I will look into that, It will help out.
How about any other ways?
I KNOW for FACT that my friend without ANY shell access at all, no exec, cmd, system, shell_exec commands, can bypass ANY settings regardless, he can turn off safemode, allow url fopen, allow http uploads, and re enable any settings like "exec, cmd, system, shell_exec commands" that were specifically disabled in the php.ini file.
He will NOT tell me how but he said there are MANY ways and he told me to look into cURL extensions.
Anyone?
-
jclarkkent2003
- Forum Contributor
- Posts: 123
- Joined: Sat Dec 04, 2004 9:14 pm