Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

Pages: 1

 

#1 11-16-2012 09:08:36

Uncletim
Member
From: Boulder, CO
Registered: 08-03-2003
Posts: 375
Website

ini_set function / php security hole

My ISP keeps disabling my CCP7 site because of the  ini_set function.

They tell me this is a huge security hole in php.

This has cost me lots of money as they keep shutting down my store as a general precaution.

Does version 8 have this issue as well?

Can anyone elaborate on the security hole  ini_set function opens?

Thanks.

Tim G.
wwwuncletim.com
wwweguitarcenter.com
wwwtheflatirons.com
wwwwesternriverrats.com

Offline

 

#2 11-19-2012 13:26:39

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19798
Website

Re: ini_set function / php security hole

All PHP versions of ClickCartPro and EuropaCart use ini_set() to change the environment variables on-the-fly so the software can run properly.  I've never heard of a host disabling that option, as most scripts use it.  PHP has built in security which limits the damage you can do with ini_set() functions.  I think your host is being a bit overzealous and it might be time to look for a new one.  If you want to stick with them, perhaps you could request that they simply disable ini_set() in their php.ini.  As long as the server config is appropriate, ClickCartPro and EuropaCart will not try to use ini_set() to set any variables.

Nick Hendler

Offline

 

 

Pages: 1

Board footer