vb.org Archive - How to Use Your Dynamic Joomla Header in vBulletin

Page 2 of 2

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vBulletin 3 Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=187)

- - How to Use Your Dynamic Joomla Header in vBulletin (https://vborg.vbsupport.ru/showthread.php?t=177822)

dannykilla

06-03-2008 04:13 PM

Thanks AzzX,

but my host wont allow the "allow_url_include = True"

I quote my support ticket below:

"Hi Danny,

Thanks for your ticket.

We already have allow_url_fopen set to ON. However, we cannot set allow_url_include to ON as this would allow an attacker to inject code into a script and potentially cause huge problems.

We can make changes like this for you with a Managed Virtual Server (MVS) or full Managed Server but not with a shared account.

Please let us know if we can be of any further help.

----
Chris Adams
Rochen Limited"

Any suggestions, is there a way around this?

Thanks
Danny

AzzX	06-04-2008 10:07 AM

You can try putting the code in a file named php.ini at your website and forum root. My webhost has phpsuexec enabled which allows the use of a custom php.ini to overide the main config.

dannykilla

06-04-2008 01:20 PM

AzzX thanks for the reply, one thing if this does actually work (touch wood) what Cmod should I set both files?

Danny

AzzX	06-04-2008 01:54 PM

Not sure what you mean in regards to both files. Just create a text file called php.ini with

Code:

allow_url_fopen = True

allow_url_include = True

in it and drop it into your website root and forum home.

dannykilla

06-04-2008 04:38 PM

Ok AzzX,

I asked about that too and I got this on a reply to my ticket:

Technically it will work but this would be circumventing something we don’t allow you to do on the shared servers and thus it would result in account suspension.

You can do a local include without issue and this is the route I suggest you look at.

----

So how do I do a local include and will what I want be possible with it?

Thanks again
Dan

AzzX	06-20-2008 10:41 AM

Had a script kiddie hack attempt using the above method so I highly recommend not doing a dynamic header is this way.

Looking through my logs, vb.org was queried with the search term Joomla highlighted in order to find my site and run an automated exploit.

From another website on the same issue:

Quote:

The hacker is taking advantage of this global variables PHP exploit and inserting the URL of the code they run remotely into the URL so that they can run the program onto your server. How to fix the problem? Make it so the hacker can't pass URLs on your site.

All times are GMT. The time now is 03:17 PM.

Page 2 of 2

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01047 seconds Memory Usage 1,725KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code_printable (1)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (6)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: