Why are you using allow_url_fopen????
-
-
- joomlaservices
- Jr. Rocketeer
- Posts: 22
- Thanks: 0
-
Hello,
Let me start by saying I am a webhost (and my apologies for the long post). I also perform many Joomla installations for my clients and when asked I always refer them to RT for their template needs.
My question to you is why are you relying on allow_url_fopen when so many shared hosts have disabled this due to the incredible degree of bad code out there and the inherent risks it poses. I am not suggesting your code is poorly written and vulnerable. There are safer alternatives (like curl), why not use them?
As a host I am now forced into a terrible corner.
1) do i keep allow_url_fopen disabled and protect my clients from so many potential attacks due poorly written code, or;
2) do I enable it for seamless RT installations and put my client sites and the server itself at risk from hackers.
I risk losing clients because of this, and I would lose them because I recommend RT templates. Why would I do that?
By choosing to use allow_url_fopen you are putting yourself at odds with many hosting companies decision to disable allow_url_fopen. Have you considered this?
Of course I can make it such that individuals can enable it themselves at their own risk but that makes no sense from a hosts perspective. I would be leaving a door open for hackers to establish themselves on my server from which they can probe deeper into the server looking for the smallest weakness. No host wants that scenario. I am also left with the task of explaining to them the inherent perils of enabling allow_url_fopen.
As well, by forcing users of RT templates to have allow_url_fopen enabled you are inherently assuming that any other extension they may be using is going to be safe and properly coded. YOU are opening up a door for YOUR clients that they may not fully understand and putting them at further risk of being hacked!! Have you not considered this as well?
I would ask you consider stop using allow_url_fopen and use a safer alternative. Do not force your clients to seek out hosts who are indifferent with security over those that run secure servers. You can easily dismiss this issue saying hosting and security is up to the clients but that would be unprofessional and irresponsible. Many (and I'd venture to say most) individuals who use Joomla are not programmers and do not understand all these issues. It is up to hosts and developers to keep the internet safe. Let's all do our part. Thanks for reading.
Liano
-
-
-
- Who?
- Preeminent Rocketeer
- Posts: 25562
- Thanks: 613
- Joomla freelancer
-
This is actually Joomla core requirement and there is nothing we can do about it. You are really knocking on the wrong doors regarding this
- Check my services at: Mihha-Vision
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
-
joomlaservices wrote:
I would ask you consider stop using allow_url_fopen and use a safer alternative.None of our templates require allow_url_fopen to be Enabled. We rely on cURL and Ajax to accomplish our tasks.
However certain parts of Joomla such as the Updater require cURL or lacking that allow_url_fopen = enabled.
Quoting Nicholas K. Dionysopoulos of Akeeba fame:The new Joomla! updater does not solely rely on URL fopen() wrappers anymore. It will prefer using cURL if it's enabled on your system (virtually all live hosts have it enabled). Only if cURL is not available will it try using URL fopen() wrappers, if they are enabled. However, that is true only for the Joomla! updater. The extensions updater (Extensions, Manage Extensions, Update) still exclusively relies on URL fopen() wrappers, hence the warning.If you still don't believe us then on the Joomla forums it has been noted that the info about allow_url_fopen is OUTDATED -> forum.joomla.org/viewtopic.php?f=621&t=782236#p2985160
Regarding the security of URL fopen() wrappers, it depends on your PHP version. In versions prior to PHP 5.2.0, enabling the allow_url_fopen would also allow PPH to include remotely stored files as if they were stored locally. This was being exploited by hackers, hosting malicious code on their server as .txt files and including them on victim sites by taking advantage of remote file inclusion vulnerabilities. Since PHP 5.2.0 a new directive, allow_url_include, is made available. When it's set to 0, you can have fully functional URL fopen() wrappers but disallow inclusion of remotely hosted code. Ref: www.php.net/manual/en/filesystem.configu...ni.allow-url-include As a result, all security warnings regarding allow_url_fopen are outdated by at least five years - PHP 5.2.0 was released in November 2nd, 2006. Unfortunately, I've only seen people discussing allow_url_include the last year or so. The instructions in the security checklist have been first written several years ago, are still relevant, but that part is not entirely accurate. It's good as a rule of thumb, but not accurate
Hope this helps you understand the issue more clearly
-
-
-
- joomlaservices
- Jr. Rocketeer
- Posts: 22
- Thanks: 0
-
you are correct...please delete this post, sorry
-
-
-
- Who?
- Preeminent Rocketeer
- Posts: 25562
- Thanks: 613
- Joomla freelancer
-
We generally don't delete posts so all members can have some value from them
- Check my services at: Mihha-Vision
-
-
-
- prim
- Preeminent Rocketeer
- Posts: 17290
- Thanks: 217
- You can also allow it on specific domains if you want: linuxhostingsupport.net/blog/how-to-enab...n-on-a-cpanel-server
- Please reply with a direct link to the issue & create a new thread for each new issue.
A template is only as good as the content that goes into it
- DanG
-
Time to create page: 0.057 seconds