> SquirrelMail 1.4.6 > PHP 4.4.1 > UWIMAPD (IMAP4rev1 2003.339p-cpanel) > Apache 1.3.34 > CentOS 4.2 i686 > Our webserver runs as nobody. > > Hello all. I'm installing 1.4.6, though I have been using 1.4.4 for a > while now on the same server. > > I ran SquirrelMail configtest on the new 1.4.6 installation, and it > stopped at this error: > ERROR: You have enabled php register_globals. Running PHP installation > with register_globals=on can cause problems. See security information > about register_globals. > > I've read the link and also several posts on various lists, but I'm not > much wiser. Can someone please summarize: > - what is the problem and is it serious? > - can the problem be easily solved without breaking something else? > - I'm on shared hosting (it's not my server) so can I solve this? > - Is there any way to let the configtest bypass the register_globals > error so that it will run the remaining tests? > > Because I'm on a shared server I override some PHP values locally in an > .htaccess file, such as to enable attachments greater than 2 MB. So, I > added the following to the .htaccess file in the new 1.4.6 directory: > php_value register_globals Off > > I then ran phpinfo.php, and it showed that while the Master Value is still > "On", the Local Value for register_globals is now "Off". Yet when I re-run > SquirrelMail configtest it still says that register_globals=on even though > it has been overridden locally. > > Help please, this is beyond my knowledge. Thanks.
php_flag register_globals off not php_value. register_globals is boolean. Your webhosting provider must allow use of htaccess files in apache configuration. See AllowOverride directyve in apache documentation. SquirrelMail 1.4.6 added rg=on check in order to prevent possible security and variable corruption issues. SquirrelMail developers code with PHP register_globals turned off. In some cases developers can make wrong assumptions about variables and introduce insecure code that can be exploited in register_globals=on setups. Some of the latest SquirrelMail security issues can be exploited only in rg=on setups. SquirrelMail code is complex and variable corruption is possible in rg=on setups. It is strongly recommended to run SquirrelMail and other PHP scripts with register_globals turned off. Provider should turn globals only when scripts are broken, don't work in rg=off and you can't fix those scripts. You can use SquirrelMail 1.4.6 in rg=on setup, but you won't pass configtest. I'll protest, if somebody tries to make rg=on check non-fatal in SM-1_4-STABLE branch. We are trying to prevent use of insecure SquirrelMail and PHP setups. http://www.php.net/security.globals -- Tomas ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 -- squirrelmail-users mailing list Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines List Address: squirrelmail-users@lists.sourceforge.net List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
