This announcement is to provide notice to all clients that we have now disablabled the PHP setting register_globals. As script exploits increase which rely on this setting we have now made the change to make our servers more secure.

In addition, it has now become commonplace for hosts to have register_globals disabled and for script makers to use code which doesn't rely on it being set to "On". We recommend that clients who code their own PHP scripts read the following page where the security issues with register_globals are detailed.

We understand that some clients will still be using scripts which rely on register_globals being set to "On" and we are still able to provide hosting for these.

Firstly, it's recommended that anyone affected looks to see if an updated script is available which uses secure code (and doesn't require the setting to be On). If this is a custom made script we recommend altering the code to make it secure with regard to register_globals.

If any client really needs register_globals to be "On" this can be done by adding the following line to a .htaccess file in the accounts public_html directory

INSERT THIS INTO A .HTACCESS FILE: "php_value register_globals 1"

Any client making this change should be aware of the security implications of doing this (see link above) and be prepared to take responsibility should a script comprimise occur as a result of the setting. Also, clients are asked only to make the setting when absolutely necessary and not carry out the change on each and every account when not required.

Thursday, March 2, 2006

« Back