Jump to content


Photo

[Solved] php.ini - Please can I get access to this configuration file?

php.ini

  • This topic is locked This topic is locked
11 replies to this topic

#1 usgfx42

usgfx42

    Newbie

  • Members
  • 4 posts
  • Gender:Male

Posted 08 December 2018 - 06:07 PM

-    php.ini     -

Please can I get access to this configuration file?

 

 LINK TO TEST.PHP  INFO

 

 HelioHost | Johnny

Current User usgfx42 Primary Domain usgfx.com.usgfx.cz Shared IP Address 65.19.141.67

Home Directory /home/usgfx42

 

 

Please If not can I get some things enabled / changed below ?   

 

 

 

 

core ; allow_url_include       ON

 

core : display errors               ON

 

core : disable functions     NO VALUE

 

core : enable dl                  ON

 

core : expose_php               ON

 

core : max_execution_time  300

 

core : max_input_time           300

 

core : register_argc_argv        OFF

 

core : sendmail_from            wwwuser@cgi.yourhostingaccount.com

 

core : SMPT                        mail.yourhostingaccount.com

 

core : Variables Order           EGPCS

 

 

curl :    GSS-Negotiate    YES

curl  :  IDN                    YES

 

 

session :  session.gc_divisor         1000

session :  session.gc_probability       1

session : session.use_trans_sid           1

 

 

mbstring  mbstring.http_input     PASS      PASS

mbstring  mbstring.http_output       PASS      PASS

 

 

standard : url_rewriter.tags              fieldset=

 

 

 

Thank you advance for your help, time and prompt response,

 

E.I.

service [at] usgfx.cz



#2 Luigi123

Luigi123

    Rank X Member

  • Moderators
  • 1,252 posts
  • Gender:Male
  • Location:Winnipeg, Manitoba, Canada

Posted 08 December 2018 - 06:46 PM

Let’s find out.

server_load_s.gifserver_load_j.gifserver_load_t.gif
server_uptime_s.gifserver_uptime_j.gifserver_uptime_t.gif

 


#3 Krydos

Krydos

    Rank X Member

  • Root Admin
  • 17,567 posts
  • Gender:Male

Posted 08 December 2018 - 07:08 PM

Which version of php are you using?

#4 wolstech

wolstech

    Rank X Member

  • Root Admin
  • 9,895 posts
  • Gender:Male
  • Location:Pennsylvania

Posted 08 December 2018 - 09:29 PM

Some of those suggested settings are security issues...even if Krydos can change some, I can say for certain we’re not going to put 300 second execution timeouts or blank the disable functions line...

Please do not PM me for support. Posting on our forums lets all of us learn.

Do you play Minecraft? | Server Monitors | And the Dumbass of the Decade award goes to...


#5 Krydos

Krydos

    Rank X Member

  • Root Admin
  • 17,567 posts
  • Gender:Male

Posted 08 December 2018 - 09:30 PM

I honestly haven't even read through the list yet, because it's irrelevant until I know which version of php we're even talking about.

I should also mention that if you want to edit your own php.ini or use insecure functions like exec() you won't be able to do that on a shared hosting account like you have, but you can do so on a vps https://www.heliohost.org/vps/

#6 usgfx42

usgfx42

    Newbie

  • Members
  • 4 posts
  • Gender:Male

Posted 09 December 2018 - 01:03 PM

PHP Version 5.6.38

Edited by Krydos, 09 December 2018 - 09:01 PM.
no need to shout


#7 Krydos

Krydos

    Rank X Member

  • Root Admin
  • 17,567 posts
  • Gender:Male

Posted 09 December 2018 - 08:58 PM

allow_url_include ON

It's already on.
 

display errors ON

It's already on.
 

disable functions NO VALUE

The functions that are disabled are going to stay disabled because they are a security risk on a shared hosting plan.
 

enable dl ON

It's a security vulnerability to have this on.
 

expose_php ON

This would allow criminals to see the vulnerabilities of our php version. Why do you even think you need this on?
 

max_execution_time 300

Max execution time is intentionally kept low to help keep the server load low. If each php process was allowed to run for 5 minutes all of the server memory would be consumed even more easily, and the server would have even more downtime than it already does.
 

max_input_time 300

Max input time is intentionally kept low to help keep the server load low. It's a terrible idea for uptime to set this much higher than it already is.
 

register_argc_argv OFF

If this was disabled you wouldn't be able to pass arguments to php on the command line which would make a lot of cron jobs stop working. It would increase performance slightly though so I'm tempted. Why does it matter to you if you can pass arguments on the command line anyways?
 

sendmail_from wwwuser@cgi.yourhostingaccount.com

So you want literally everyone's emails on the entire server to look like they are coming from your account? I don't think you even know what you're asking for. Where did you copy/paste this list from? It's obviously settings that are meant to be run on a vps, not shared hosting.
 

SMPT mail.yourhostingaccount.com

Same as above.

#8 Krydos

Krydos

    Rank X Member

  • Root Admin
  • 17,567 posts
  • Gender:Male

Posted 09 December 2018 - 09:00 PM

Variables Order           EGPCS

It's currently set to GPCS which is default. The E is a performance hit to list in this directive, and you can access it via the getenv() function anyways if you really need it which most people don't.

curl :    GSS-Negotiate    YES

I think you can just set it via the curl CURLAUTH_GSSNEGOTIATE option. That's a pretty obscure one.

curl  :  IDN                    YES

This would require compiling curl from source which would undoubtedly break other things. I prefer to keep everything supported through the package manager if at all possible.
 

session :  session.gc_divisor         1000

Cpanel disables this by default for, what I assume is, performance increases.

session :  session.gc_probability       1

Cpanel disables this by default for, what I assume is, performance increases.

session : session.use_trans_sid           1

This is a security risk. Cookie based sessions are more secure than URL based sessions.
 

mbstring  mbstring.http_input     PASS

I think this is already set.

mbstring  mbstring.http_output       PASS

I think this is already set.
 

url_rewriter.tags              fieldset=

I'm not sure what this is supposed to mean. The default value is "a=href,area=href,frame=src,input=src,form=fakeentry". This option is related to the URL sessions that I listed above as being a security risk.

Overall, I really think that whatever software you're trying to run is going to require a vps if it really needs all of these insecure settings. Luckily for you we provide those.

#9 usgfx42

usgfx42

    Newbie

  • Members
  • 4 posts
  • Gender:Male

Posted 10 December 2018 - 07:03 AM

PHP.ini Please can I get the includes turned on at least please .. ? 

 

 

 

Sorry to bother you again with this.... but... 

 

Thank you for the prompt responses...and the included security tutorial!

 

...you guys are G R 8 !  

 

 

 

Im not an expert like you so I apologize If I turned on all the whistles and bells for a security breach at helio...

 

but all i did was copy the params that I used to have on my other server and these were then things that differed..  

again I sincerely apologize..

 

needless to say...

 

for this but i cant seem to get things to go without the includes,...

 

 

PHP Version 5.6.38

 

link for my server johnny php.ini that i get the includes are OFF ...

 

heres test link  for your krydos.heliohost.org72/phpinfo.php  includes are OFF ...aswell

 

 

 

 

phpini_johnny_2018-12-10_8-07-46AAA.jpg

 

 

 

 

===========================================================================================================================================

 

 

 

 

 

 

krydos_phpini_2018-12-10_8-11-30AAA.jpg


Edited by usgfx42, 10 December 2018 - 07:41 AM.


#10 Krydos

Krydos

    Rank X Member

  • Root Admin
  • 17,567 posts
  • Gender:Male

Posted 10 December 2018 - 07:25 AM

I'm sorry. For some reason when I was writing that earlier I read it as allow_url_fopen not allow_url_include. We allow a lot of easily hacked software, most notably wordpress, run on our servers, and allowing hackers to include malicious code hosted on another server is a security risk. We can control our own servers pretty well, but allowing users to execute code on some other server that may or may not have any security could be a problem if the remote code is changed by a hacker. Why do you need to include remote code? Why not just upload it to our server and include it locally?

#11 usgfx42

usgfx42

    Newbie

  • Members
  • 4 posts
  • Gender:Male

Posted 10 December 2018 - 09:27 AM

ok ok  ok ..      am I missing somthing here then??? 

 

 

 

includes2018-12-10_10-24-10.jpg

Attached Files


Edited by usgfx42, 10 December 2018 - 09:49 AM.


#12 Krydos

Krydos

    Rank X Member

  • Root Admin
  • 17,567 posts
  • Gender:Male

Posted 10 December 2018 - 06:24 PM

Those look like local includes to me. Have you checked to make sure those included files exist?





Also tagged with one or more of these keywords: php.ini

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users