Creating php.ini

  • Resolved aCstudent

    (@acstudent)


    9 years, 6 months ago

    Thank you for this great plugin WebFactory. It pointed out multiple vulnerabilities, some of which I was able to fix, others I am able to live with. Two that I would like to fix but cannot seem to figure it out involve php.ini: (1) Server response headers contain detailed PHP version info; and (2) expose_php PHP directive is turned on.

    I went to cPanel file manager, no php.ini anywhere. Created it in my root directory /home/[my-cPanel-username], with these two lines:
    expose_php = off
    allow_url_include = off

    No luck. Added this to my htaccess:
    suPHP_ConfigPath /home/[my-cPanel-username]/php.ini
    Still no luck. Any advice will be gratefully appreciated.

Viewing 4 replies - 1 through 4 (of 4 total)
  • WebFactory

    (@webfactory)

    9 years, 6 months ago

    Hi, thank you for the kind words!

    Let’s first try without php.ini 🙂 Do you have a “PHP Configuration” icon in your cPanel? If so, click and try adjusting those params via the GUI.

    Thread Starter aCstudent

    (@acstudent)

    9 years, 6 months ago

    Yes, a PHP Configuration icon is there. It lists several settings, but not these. Also it is read-only: “Your server’s administrator can customize these PHP configuration settings. The system displays them for your reference only.” There is also a PHP Selector that lists a number of extensions with check boxes. Do not see expose_php or allow_url_include there either.

    Thread Starter aCstudent

    (@acstudent)

    9 years, 6 months ago

    Looks like my host does not allow custom php.ini. I was able to turn off allow_url_include in htacceess…
    php_flag allow_url_include off

    I can’t seem to turn off expose_php, but I found a work-around at https://perishablepress.com/expose-php/
    RewriteCond %{QUERY_STRING} PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
    RewriteRule .* – [F]

    Security Ninja still correctly flags expose_php as being on, but the easter eggs and detailed PHP info response is blocked.

    So, I think I’m good. Thank you again for this awesome plugin.

    WebFactory

    (@webfactory)

    9 years, 6 months ago

    You’re welcome! Glad you managed to find a workaround 🙂

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Creating php.ini’ is closed to new replies.