Icy Phoenix

If you recive a error like this:



And "number1" is smaller than "number2", that´s because icy don´t has been configured for a smaller Php allowed memory usage, that is cofigurated in most servers. For solving that:

OPEN "board_root"/.htaccess
FIND

REPLACE WITH


Important: the 32 can be any other number, but it has to be a multiple of 8.

---

If you need to set the register_globals configuration off (without modifying the php.ini):

OPEN "board_root"/.htaccess
FIND

REPLACE WITH

---

If you want to set the icy board error pages:

OPEN "board_root"/.htaccess
FIND

REPLACE WITH


Note: You have to put your website instead of "http://127.0.0.1"

---

To disable the rewrite engine (it doesn´t mind what is set in the ACP):

OPEN
FIND

REPLACE WITH

---

To sure that you won´t have any error in the domain/subdomain adress:

OPEN "board_root"/.htaccess
FIND

REPLACE WITH


Note: This time you have to put your Url on the first without the "www." if you have a domain or with the www. if you haven´t one, and in the second in the inverse way.

---

MG, have you thought about, in the file .htaccess, add something to block the characters below?

Thanks, it is really useful, I'll move to docs section.

novice programmer wrote: [View Post]

MG, have you thought about, in the file .htaccess, add something to block the characters below?

Code: [Download] [Hide] [Select]

Code: [Download] [Show]

",',<,>,{,},[,]

Why should I block these?

Not all of these requests may be dangerous... :roll:

I can't lock all these kind of requests, because someone may need them for other scripts on their sites.

Many thanks, novice programmer, very useful! :up:

Mighty Gorgon wrote: [View Post]

Thanks, it is really useful, I'll move to docs section.

novice programmer wrote: [View Post]

MG, have you thought about, in the file .htaccess, add something to block the characters below?

Code: [Download] [Hide] [Select]

Code: [Download] [Show]

",',<,>,{,},[,]

Why should I block these?

Not all of these requests may be dangerous... :roll:

I can't lock all these kind of requests, because someone may need them for other scripts on their sites.

About the < and >: With the <HTML TEXT> you can insert a script at the adress. I konw you have blocked all script tags on the url, but it could be ofuscated... it´ll become this way: <D5%110%25%2001%20%>. For my POV this is a security issue.

For possible hackers: The numbers have been selected at ramdom, and them won´t work in a page.

About the ': I know ctraker blocks them, but if someone can insert into the url a code for not-ctraker loading...

About the ": Php code could being edited with them

And about the { and }: I don´t know any page which use them, so they could be blocked.

MG, if you found this risky, you can upload them as a customization, so users could decide.

You can add this to the acronyms:
POV = Point Of View

Yes of course it is a matter of POV :wink: !

In my opinion scripts must be secured against these kind of requests, but I wouldn't block everything just because they may be dangerous.

If a script is well coded, then these measures will be unuseful.

There are always two extreme ways in adopting securities measures:

• Block everything may be dangerous...
  
• Try to guess at runtime what may be dangerous and eventually block unsecure scripts...

If you need something flexible, you should allow some vars being processed, but escaped where needed.

In PHP there are many functions for this, such as urlencode, raw_urlencode, htmlspecialchars and so on that are there just to prevent injections.

As you can see in major packages none of them is blocking so strictly some chars.

What I did in Icy Phoenix was to secure http requests by blocking injections via globals... so phpbb_root_path is blocked because it may be exposed to RFI (Remote File Inclusions) in those servers with globals enabled.

Anyway I really appreciate your point of view, and I hope you will post more of this, maybe someone will decide to follow your "hard" way and include a more strict htaccess to their sites.

Can you create a new htaccess including all these measures?

Mighty Gorgon wrote: [View Post]

Yes of course it is a matter of POV :wink: !

In my opinion scripts must be secured against these kind of requests, but I wouldn't block everything just because they may be dangerous.

......

Can you create a new htaccess including all these measures?

I asked you because i know something about php, but not about .htaccess files.

novice programmer wrote: [View Post]

If you recive a error like this:

Code: [Download] [Hide] [Select]

Code: [Download] [Show]

Allowed memory size of (number1) bytes exausted when tried to allocate (number2) bytes on (file)

And "number1" is smaller than "number2", that´s because icy don´t has been configured for a smaller Php allowed memory usage, that is cofigurated in most servers. For solving that:

OPEN "board_root"/.htaccess
FIND

Code: [Download] [Hide] [Select]

Code: [Download] [Show]

#php_value memory_limit 32M

REPLACE WITH

Code: [Download] [Hide] [Select]

Code: [Download] [Show]

php_value memory_limit 32M

Important: the 32 can be any other number, but it has to be a multiple of 8.

A simple test (actual limit is 12M, I tried 32MB) on my host has returned this error (500):

Quote:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Is there any other setting to modify? :roll:

Your server does not support that value. They set up that value on on every account by default

Zuker wrote: [View Post]

Your server does not support that value. They set up that value on on every account by default

As I supposed :x

Thanks, Zuker

buldo wrote: [View Post]

....

A simple test (actual limit is 12M, I tried 32MB) on my host has returned this error (500):

...

I have only tested the 8M multiples.

Notice that you have only to set the M for Megabyte. If you put MB, it won´t work.

novice programmer wrote: [View Post]

Notice that you have only to set the M for Megabyte. If you put MB, it won´t work.

I know. I've tried with 32M, but most problably Zuker is right :(

buldo, you don't need to set it via HTACCESS, because you can set it via PHP on your server...

Why you want to raise Memory Limit? Are you having white pages or some other warning?


_______________

novice programmer wrote: [View Post]

Mighty Gorgon wrote: [View Post]

Yes of course it is a matter of POV :wink: !

In my opinion scripts must be secured against these kind of requests, but I wouldn't block everything just because they may be dangerous.

......

Can you create a new htaccess including all these measures?

I asked you because i know something about php, but not about .htaccess files.

When I have some free time I'll try to have a play to show you how to block some special chars.

If you have time, there are several sites which helps users in coding their HTACCESS.

Mighty Gorgon wrote: [View Post]

buldo, you don't need to set it via HTACCESS, because you can set it via PHP on your server...

Why you want to raise Memory Limit? Are you having white pages or some other warning?

I've got a "Memory execed limit" with "Rebuild search index" in ACP->DB Maintenance, using the standard IP parameters.
I must reduce "Max post size" in ACP->DB Maintenance->Configuration to 250 to complete the task.

I've also tried to insert "ini_set('memory_limit','32M');" in config.php as suggested on other post, but the error remains.

Ciao,

buldo wrote: [View Post]

...............
A simple test (actual limit is 12M, I tried 32MB) on my host has returned this error (500):
..........

If can´t set memory at 32M, try with 16M, and if it doesn´t work, set it at 12M. Try it out with the two ways.

I recomend setting up at a multiple of 8M becase that are the valves I´ve tested. You can try with the ones you want.

Actual limit is 12M. I've also tried 16M, but it doesn't work.

Anyway, thanks for your tips. :up: