Bypass php.ini

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jclarkkent2003
Forum Contributor
Posts: 123
Joined: Sat Dec 04, 2004 9:14 pm

Bypass php.ini

Post by jclarkkent2003 »

Hello,
I am wondering how I can bypass the settings I set in my php.ini.

I have a server with my sites on it and shared hosting, I have ALLOW_URL_FOPEN = OFF
and
ALLOW_HTTP_UPLOADS = OFF

because I don't want my users getting hacked, but I have a secret hidden website domain that only i know about and I use it for testing CONSTANTLY.

I need to know how I can bypass those settings ONLY on A SINGLE DOMAIN or a very small list of domains.

I know about ini_set(), but that does not work for ALLOW_URL_FOPEN and ALLOW_HTTP_UPLOADS , my friend tells me you can bypass it another way via CURL or something, can someone help me out please? I also disabled a handfull of commands like cmd(), shell_exec(), and exec() as well as some more as protection to make sure it doesn't get hacked hopefully.

Thank you very much.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Try [php_man]ini_set[/php_man].
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

sample from apache's httpd.conf how we disable safe_mode etc for a given directory (for a host, you would be the same principle)

Code: Select all

<Directory /home/org/oker/services/www/site/foto>
        <IfModule mod_php4.c>
                php_admin_flag safe_mode Off
                php_admin_flag file_uploads On
                php_admin_value memory_limit 14M
        </IfModule>
        AllowOverride Options FileInfo
</Directory>
jclarkkent2003
Forum Contributor
Posts: 123
Joined: Sat Dec 04, 2004 9:14 pm

Post by jclarkkent2003 »

Hi,
I tried that as:

<Directory /home/USERNAME/public_html/testingfiles/t123>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>

AND/OR

<Directory /home/USERNAME/public_html/testingfiles/t123/>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>


oh, my bad, your supposed to place that in the httpd.conf, I thought it went into the .htaccess.

Is there any other ways? I can try logging in and messing with .htaccess later today but I'd like to see ALL the ways and if there are any others.

Thanks.
jclarkkent2003
Forum Contributor
Posts: 123
Joined: Sat Dec 04, 2004 9:14 pm

Post by jclarkkent2003 »

didn't I mention I tried INI_SET() ? Did you get it to work?

http://us2.php.net/manual/en/function.ini-set.php

I tried:

ini_set("allow_url_fopen",1); and it did not work for me, and the reason I believe is because php has ACCESS rules, which they have on that page I pasted, a chart of the rules and where the value can be changed.

allow_url_fopen "1" PHP_INI_SYSTEM

How do I change this from a website's directory ? I can change the values when it is set to "PHP_INI_PERDIR" or "PHP_INI_ALL", but when it is setup as "PHP_INI_SYSTEM", I personally could not get it to work.

If you can test it and tell me that would be great.

You can get the default value by:


<?
echo "SET DEFAULT AS: getenv(\"allow_url_fopen\") <br>";
ini_set("allow_url_fopen",1);
echo "NEW SETTING: getenv(\"allow_url_fopen\") <br>";
?>

paste that into a script and see what you get. That is if it is off on your server, if it's already on then change the ini_set("allow_url_fopen",1); to ini_set("allow_url_fopen",0);
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

if its PHP_INI_SYSTEM

it can only be changed from php.ini

like you said, theres access restrictions


if you really want configurability on a per dir basis, run php as a cgi, or look into suPHP.org
then you can give your users thier very own php.ini
jclarkkent2003
Forum Contributor
Posts: 123
Joined: Sat Dec 04, 2004 9:14 pm

Post by jclarkkent2003 »

suPHP.org

I will look into that, It will help out.

How about any other ways?

I KNOW for FACT that my friend without ANY shell access at all, no exec, cmd, system, shell_exec commands, can bypass ANY settings regardless, he can turn off safemode, allow url fopen, allow http uploads, and re enable any settings like "exec, cmd, system, shell_exec commands" that were specifically disabled in the php.ini file.

He will NOT tell me how but he said there are MANY ways and he told me to look into cURL extensions.

Anyone?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

jclarkkent2003 wrote:suPHP.org

I will look into that, It will help out.

How about any other ways?

I KNOW for FACT that my friend without ANY shell access at all, no exec, cmd, system, shell_exec commands, can bypass ANY settings regardless, he can turn off safemode, allow url fopen, allow http uploads, and re enable any settings like "exec, cmd, system, shell_exec commands" that were specifically disabled in the php.ini file.

He will NOT tell me how but he said there are MANY ways and he told me to look into cURL extensions.

Anyone?
This doesnt sound like a friend at all lol
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

jclarkkent2003
Forum Contributor
Posts: 123
Joined: Sat Dec 04, 2004 9:14 pm

Post by jclarkkent2003 »

lol, yes he is a "online" friend I have known for 3 years, but it's just what he does. He brags about it constantly so I'd like to make it really difficult.
Post Reply