Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 11-16-2012 09:08:36

From: Boulder, CO
Registered: 08-03-2003
Posts: 375

ini_set function / php security hole

My ISP keeps disabling my CCP7 site because of the  ini_set function.

They tell me this is a huge security hole in php.

This has cost me lots of money as they keep shutting down my store as a general precaution.

Does version 8 have this issue as well?

Can anyone elaborate on the security hole  ini_set function opens?




#2 11-19-2012 13:26:39

From: York, PA
Registered: 04-20-2001
Posts: 19804

Re: ini_set function / php security hole

All PHP versions of ClickCartPro and EuropaCart use ini_set() to change the environment variables on-the-fly so the software can run properly.  I've never heard of a host disabling that option, as most scripts use it.  PHP has built in security which limits the damage you can do with ini_set() functions.  I think your host is being a bit overzealous and it might be time to look for a new one.  If you want to stick with them, perhaps you could request that they simply disable ini_set() in their php.ini.  As long as the server config is appropriate, ClickCartPro and EuropaCart will not try to use ini_set() to set any variables.

Nick Hendler



Board footer