Guest Posted January 10, 2004 Share Posted January 10, 2004 Hi, My site is up and running, and have had no problems till so far, but the one problem that still exist is the permission via chmod on the configure.php file I have contacted my host about this, but after a long debate they just told me to make another folder outside the exiting folder? what does not help either:0( So writing to the Hosting Company has not helped what so ever? I?m no stranger using the chmod via WS-ftpLE seeing that I was previous with a different Hosting company, and had no problem what so ever with chmoding. No matter what I have tried, I still get error 500, command not understood Chmod failed, for it may not be supported on remote site. I?ve also tried making a protect.php <?php // Read and write for owner, nothing for everybody else chmod("/includes/configure.php", 0444); ?> But no matter what I do or try nothing seems to work;0( I?m just wondering if there is another work around this problem. Because I still have to stay with this host till October 2004. I really hope that some-one can help me. Kind regards Beth Link to comment Share on other sites More sharing options...
Guest Posted January 10, 2004 Share Posted January 10, 2004 you can use an ftp program to change the permissions. set configure.php at 644, wsftp can do that by right clicking and setting attributes. on another note, you pay for what you get. never, ever sign up with a host for more than a month so you can see if everything works. you get what you pay for with the wrong host, hey it may be cheap, but that is the kind of service you get too. you are trying to make money on the internet, why skimp over $15 or $20 savings because someone has it cheaper than a good quality service. not worth it. you wouldnt need to ask here for much if your host knew what they were doing. Link to comment Share on other sites More sharing options...
Guest Posted January 10, 2004 Share Posted January 10, 2004 Hi, I had the same problem but was able to solve it by doing the following: [so here it is in full , how to remove the "Warning: I am able to write to the configuration file: /*****/*****/includes/configure.php. This is a potential security risk - please set the right user permissions on this file" warning if you are sure the chmods for config.php are configured properly but message still appearing. MAKE SURE YOU BACK UP THE FILES BEFORE WORKING ON THEM!!!! Step 1 Locate this in catalog/includes/language/english.php define('WARNING_CONFIG_FILE_WRITEABLE', 'Warning: I am able to write to the configuration file: ' . dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.'); CHANGE IT TO THIS: // define('WARNING_CONFIG_FILE_WRITEABLE', 'Warning: I am able to write to the configuration file: ' . dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.'); Then go to catalog/includes/header.php and locate this: // check if the configure.php file is writeable if (WARN_CONFIG_WRITEABLE == 'true') { if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) { $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning'); } } Delete the above section and no more config writeable errors on the top of your page. Link to comment Share on other sites More sharing options...
Druide Posted January 10, 2004 Share Posted January 10, 2004 Hi, I had the same problem but was able to solve it by doing the following: [so here it is in full , how to remove the "Warning: I am able to write to the configuration file: /*****/*****/includes/configure.php. This is a potential security risk - please set the right user permissions on this file" warning if you are sure the chmods for config.php are configured properly but message still appearing. MAKE SURE YOU BACK UP THE FILES BEFORE WORKING ON THEM!!!! Step 1 Locate this in catalog/includes/language/english.php define('WARNING_CONFIG_FILE_WRITEABLE', 'Warning: I am able to write to the configuration file: ' . dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.'); CHANGE IT TO THIS: // define('WARNING_CONFIG_FILE_WRITEABLE', 'Warning: I am able to write to the configuration file: ' . dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.'); Then go to catalog/includes/header.php and locate this: // check if the configure.php file is writeable if (WARN_CONFIG_WRITEABLE == 'true') { if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) { $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning'); } } Delete the above section and no more config writeable errors on the top of your page. It's obvious that you dont have a clue why the ERROR / WARNING message is there. Change to a real hosting company, if you want to make money then you have to spend it first. SECURITY is not something to take for granted if YOUR clients information and your database etc.. is at RISK Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
Guest Posted January 10, 2004 Share Posted January 10, 2004 Robert, :angry: If you had an education and could read, I state if you are sure your chmods are set correctly to do it. I have a real hosting company, and they, myself and another member from this forum checked the chmods and found that they were set properly and could not be accessed. So get a life and read fully before opening your mouth, Link to comment Share on other sites More sharing options...
Guest Posted January 14, 2004 Share Posted January 14, 2004 Hi, Okay, first off all, I know that I can use an ftp program to change permission, to set configure.php at 644 and know how wsftp works - again i'm not new to this. I'm not a dumb mother off twins and stupid housewife....:0) hahaha What do you mean by your remark, what you pay for is what you get - my host is not cheap, and the Chmod seems to be the only problem, cause they have it set automatic for the users. I went with them cause they support .net and up till now have provided me with good qaulity service, and had no problems with any other programs that i'm running. I geuss I will just have to ask them again, seeing that no-one has another work around... Thanx any way for all your help. Kind regards Beth Link to comment Share on other sites More sharing options...
Guest Posted January 14, 2004 Share Posted January 14, 2004 what that means is no shell access to get to your files. being to get to the shell while doing things is great. for example, you have some text that you do not know where it is located - so with shell access, you can do: grep -rn 'keyword' * and it will tell you everywhere the keyword is located (file name and folder name) with line number. as far as the other if you remark out the configure.php files instead of having the permissions set, hackers with no experience can get into your database and make changes, etc, and if you just process the orders without looking or have someone else who does the orders, they could be shipped before you even find out the prices are now at $0.00 i could not find: "I state if you are sure your chmods are set correctly to do it. " in the other post so maybe i can not read correctly either . . . this is what i red: "I had the same problem but was able to solve it by doing the following:" Link to comment Share on other sites More sharing options...
Guest Posted January 17, 2004 Share Posted January 17, 2004 Okay, According to the host, the best way of securing a file is by putting this to A dir outside the website dir. If my website dir is D:\home\myname\mysite My dir outside would be D:\home\myname\securefolder This way the file cannot be seen via the internet but could be seen via the code. Does any-one get this??? Witch files would I need to place in the secure folder outside my site dir root. And witch files and where would I need to moderate the code so that The file or files would read from the outside dir root into the website root ??? Link to comment Share on other sites More sharing options...
peterr Posted January 17, 2004 Share Posted January 17, 2004 Hi, I also had problems with the message, and although I do have shell access at the hosts, I couldn't change it to 444 as the Wiki docs stated. I had to contact the web hosts and get them to change the file to a 444. Can someone please explain why write permissions are checked, on such a 'global basis ? I can understand having code to stop either "group or public" having write permissions, but why have code that causes an error msg, if the owner has write permissions. The owner _should_ have write permissions, but only the owner. I assume there is a (system ?) setting somewhere to turn "WARN_CONFIG_WRITEABLE" on or off, or should I consider modifying the code to also check the permissions ? This would make more sense, that is, only display the message if the group or public permissions were writable, certainly it makes no sense to me to have the message display if the owner has write permissions. From http://au2.php.net/manual/en/function.fileperms.php fileperms (PHP 3, PHP 4 ) fileperms -- Gets file permissions Description int fileperms ( string filename) Returns the permissions on the file, or FALSE in case of an error. Just a few more "IF" statements (one to check if group has write permissions, one to check if public has write permissions), and using the "fileperms" function, would ensure that the msg is ONLY displayed, if either group or public have write permissions. Isn't that what is needed ?? Peter Link to comment Share on other sites More sharing options...
mattice Posted January 17, 2004 Share Posted January 17, 2004 Yes, I get it. Create a NEW file called details.php In it you copy the last paragraph of configure.php (the paragraph that contains all the database detail stuff) Save it in details.php (start with <?php define(blabla ?> ) Delete the paragraph from configure.php Move (ftp) the file details.php to a directory OUTSIDE your webtree. (so if your full path is /var/usr/home/yourname/htmldocs/www/ you move it one directory LOWER - it should not be accessible by going to http://www.example.com/details.php ) Now add the following line to configure.php: require('../../details.php'); (where the amount of ../ represents the location, or use the full path) That should do it - but it will not solve the chmod warning - set that to FALSE like suggested above once you have it all running Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
mattice Posted January 17, 2004 Share Posted January 17, 2004 @ Peter: if I am on your system I can have my PHP script read your configure.php contents if settings are sloppy. Once I have those it will be a piece of cake to wipe out your DB, or worse, plug in to it and manipulate stuff to grab CC numbers. HTH Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
peterr Posted January 17, 2004 Share Posted January 17, 2004 Hi, @ Peter: if I am on your system I can have my PHP script read your configure.php contents if settings are sloppy. Once I have those it will be a piece of cake to wipe out your DB, or worse, plug in to it and manipulate stuff to grab CC numbers. Firstly, I'm ignorant with PHP, so I take simplistic thinking. :) The deafult CMOD for PHP files on the host is 644 Owner: Read/write Group: Read Public: Read When you say you can "have a PHP script read my configure.php contents", with a 644, I can't see (unqualified, simplistic viewpoint, remember) how you can, because ....... To try and 'read' the file, it has an extension of PHP, and _MUST_ firstly be passed through the (php) server, so any PHP code won't be returned, only 'html'. So, I can't see , with a 644, how anyone could actually 'read' the contents, that is, actually see the PHP code ?? Peter Link to comment Share on other sites More sharing options...
mattice Posted January 17, 2004 Share Posted January 17, 2004 Try fopen(), read() or several other solutions that wil pull any extension file in a string or array... There are many ways, but only IF the host has sloppy settings. Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
trendyfashion Posted January 17, 2004 Share Posted January 17, 2004 Is this a pre installed scipt on your host??? The Wiki Docs: Read them, live them and be thankful for them! Link to comment Share on other sites More sharing options...
peterr Posted January 17, 2004 Share Posted January 17, 2004 Hi, Try fopen(), read() or several other solutions that wil pull any extension file in a string or array... There are many ways, but only IF the host has sloppy settings. Tried 3 or 4 different functions (including the ones you mentioned). Got either 403 messages, or just blank page when trying to echo back anything, after using the PHP functions. Peter Link to comment Share on other sites More sharing options...
peterr Posted January 17, 2004 Share Posted January 17, 2004 Hi Frank, Is this a pre installed scipt on your host??? I don't know who you are asking, but although the hosts do have osC as a pre-installed function from CPanel, I installed it all manually, if that's what you mean ? Peter Link to comment Share on other sites More sharing options...
peterr Posted January 19, 2004 Share Posted January 19, 2004 Hi, See my solution to the problem in Permissions error message thread, posted today. Peter Link to comment Share on other sites More sharing options...
Guest Posted January 19, 2004 Share Posted January 19, 2004 on another note, you pay for what you get. never, ever sign up with a host for more than a month so you can see if everything works. THat is invaluable advice. You really got to check out a host and make sure they ofer what you need before you start paying in advance just to get a measly discount. Link to comment Share on other sites More sharing options...
peterr Posted January 19, 2004 Share Posted January 19, 2004 Hi, on another note, you pay for what you get. never, ever sign up with a host for more than a month so you can see if everything works. THat is invaluable advice. You really got to check out a host and make sure they ofer what you need before you start paying in advance just to get a measly discount. Having currently playing the role of "webmaster", plus doing hosting (on a very part time basis), I have been able to somewhat see "both sides of the fence", so to speak. :D Hosting, ........ hmmm, profits, if any, are very small, in fact we won't even break even this financial year. Clients expect a lot for nothing, and support immediately, and of course, expect you to drop everything for them. I'm considering putting a "10 hrs free support per annum, and then you will have to pay" clause in the agreement terms, because as I said, there _really_ isn't any money in it. :( The other side of the fence, so to speak, because I don't have the $$$ or energy to host anything myself, I'm a web hosting reseller, so, yes, I've had some support issues to do with the _real_ hosts. Lots of that was stuff I didn't understand, and as my learning curve is steep, I (now as the end user) have done exactly what some of my clients do, panic easily, and expect service/support asap. :D Paying in advance for a small discount. Have you ever considered the accounting and paperwork involved in managing the "pay by the mth" hosting. I only do "pay by the year", because I've talked a lot with people who have been hosting resellers for many years, and they got "stung" bu people who would pay by the mth, and then drop the service after a few mths. Given this scenario, the person hosting makes a significant loss, it is just not worth it. I understand there are many "unknowns" with hosts, and I'm currently considering just buying another domain, and when someone wants to consider me for web hosting, they can have (say) 100Mb and 3Gb bandwidth for free for 3 months, and use _that_ domain. They can do ALL the testing and trialling, and by the end of the 3 mths, they will know if it _really_ has all the features they need. It won't really cost me anything, as there is heaps of spare disk space and bandwidth at present. At the end of the day, time is money, and we all need to keep bread on the table. :) Peter Link to comment Share on other sites More sharing options...
Guest Posted February 22, 2004 Share Posted February 22, 2004 great... but can you let me know what code i need to put in the details file and delete in config file. kind regards beth Link to comment Share on other sites More sharing options...
peterr Posted February 22, 2004 Share Posted February 22, 2004 Hi Beth, great... but can you let me know what code i need to put in the details file and delete in config file. Permissions error message , post # 8 Peter Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.