Page 1 of 1
Bypass php.ini
Posted: Sat Dec 04, 2004 9:39 pm
by jclarkkent2003
Hello,
I am wondering how I can bypass the settings I set in my php.ini.
I have a server with my sites on it and shared hosting, I have ALLOW_URL_FOPEN = OFF
and
ALLOW_HTTP_UPLOADS = OFF
because I don't want my users getting hacked, but I have a secret hidden website domain that only i know about and I use it for testing CONSTANTLY.
I need to know how I can bypass those settings ONLY on A SINGLE DOMAIN or a very small list of domains.
I know about ini_set(), but that does not work for ALLOW_URL_FOPEN and ALLOW_HTTP_UPLOADS , my friend tells me you can bypass it another way via CURL or something, can someone help me out please? I also disabled a handfull of commands like cmd(), shell_exec(), and exec() as well as some more as protection to make sure it doesn't get hacked hopefully.
Thank you very much.
Posted: Sun Dec 05, 2004 3:01 am
by patrikG
Try [php_man]ini_set[/php_man].
Posted: Sun Dec 05, 2004 9:06 am
by timvw
sample from apache's httpd.conf how we disable safe_mode etc for a given directory (for a host, you would be the same principle)
Code: Select all
<Directory /home/org/oker/services/www/site/foto>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>
Posted: Sun Dec 05, 2004 11:21 am
by jclarkkent2003
Hi,
I tried that as:
<Directory /home/USERNAME/public_html/testingfiles/t123>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>
AND/OR
<Directory /home/USERNAME/public_html/testingfiles/t123/>
<IfModule mod_php4.c>
php_admin_flag safe_mode Off
php_admin_flag file_uploads On
php_admin_value memory_limit 14M
</IfModule>
AllowOverride Options FileInfo
</Directory>
oh, my bad, your supposed to place that in the httpd.conf, I thought it went into the .htaccess.
Is there any other ways? I can try logging in and messing with .htaccess later today but I'd like to see ALL the ways and if there are any others.
Thanks.
Posted: Sun Dec 05, 2004 11:27 am
by jclarkkent2003
didn't I mention I tried INI_SET() ? Did you get it to work?
http://us2.php.net/manual/en/function.ini-set.php
I tried:
ini_set("allow_url_fopen",1); and it did not work for me, and the reason I believe is because php has ACCESS rules, which they have on that page I pasted, a chart of the rules and where the value can be changed.
allow_url_fopen "1" PHP_INI_SYSTEM
How do I change this from a website's directory ? I can change the values when it is set to "PHP_INI_PERDIR" or "PHP_INI_ALL", but when it is setup as "PHP_INI_SYSTEM", I personally could not get it to work.
If you can test it and tell me that would be great.
You can get the default value by:
<?
echo "SET DEFAULT AS: getenv(\"allow_url_fopen\") <br>";
ini_set("allow_url_fopen",1);
echo "NEW SETTING: getenv(\"allow_url_fopen\") <br>";
?>
paste that into a script and see what you get. That is if it is off on your server, if it's already on then change the ini_set("allow_url_fopen",1); to ini_set("allow_url_fopen",0);
Posted: Sun Dec 05, 2004 11:52 am
by rehfeld
if its PHP_INI_SYSTEM
it can only be changed from php.ini
like you said, theres access restrictions
if you really want configurability on a per dir basis, run php as a cgi, or look into suPHP.org
then you can give your users thier very own php.ini
Posted: Sun Dec 05, 2004 12:36 pm
by jclarkkent2003
suPHP.org
I will look into that, It will help out.
How about any other ways?
I KNOW for FACT that my friend without ANY shell access at all, no exec, cmd, system, shell_exec commands, can bypass ANY settings regardless, he can turn off safemode, allow url fopen, allow http uploads, and re enable any settings like "exec, cmd, system, shell_exec commands" that were specifically disabled in the php.ini file.
He will NOT tell me how but he said there are MANY ways and he told me to look into cURL extensions.
Anyone?
Posted: Sun Dec 05, 2004 3:27 pm
by John Cartwright
jclarkkent2003 wrote:suPHP.org
I will look into that, It will help out.
How about any other ways?
I KNOW for FACT that my friend without ANY shell access at all, no exec, cmd, system, shell_exec commands, can bypass ANY settings regardless, he can turn off safemode, allow url fopen, allow http uploads, and re enable any settings like "exec, cmd, system, shell_exec commands" that were specifically disabled in the php.ini file.
He will NOT tell me how but he said there are MANY ways and he told me to look into cURL extensions.
Anyone?
This doesnt sound like a friend at all lol
Posted: Sun Dec 05, 2004 4:22 pm
by timvw
Posted: Sun Dec 05, 2004 4:24 pm
by jclarkkent2003
lol, yes he is a "online" friend I have known for 3 years, but it's just what he does. He brags about it constantly so I'd like to make it really difficult.