Many of you probably had seen already the red warning in Joomla's admin interface, that you need to have the Register Globals set to "on", otherwise your site is exposed to security treats.

And also many of you haven't a clue how to do it...

So, let's see what an average webmaster can do about this problem.

Joomla! has always featured the ability to emulate PHP's register globals setting. However, controlling this feature has always been one of the more difficult aspects of configuring your Joomla! installation because it required manually editing a core file.

Namely you needed to edit the globals.php file from the Joomla root and change the line:

define( 'RG_EMULATION', 0 );


define( 'RG_EMULATION', 1 );

For Joomla! 1.0.13, all that is history. Joomla!'s register globals emulating controls have been moved into the Global Configuration settings to allow for fast and easy control over this feature. The advantages of this change are two-fold: 1) it will be easier to secure your Joomla! powered website and 2) disabling register globals emulation will help you identify some extensions that will not work in Joomla! 1.5.

But even if you're running earlier versions of Joomla you can avoid to edit a core Joomla file - which is not recommended anyway.

One of the simplest ways to do it is to set server side the corresponding variable to the needed value. This can be set by your web-server's administrator globally or you can set it locally, using local php.ini or .htaccess files, if your server allows that.

The needed line in the php.ini or .htacces file is simple, just insert:

php_flag magic_quotes_gpc on

in a standaloneline.

If you're using Plesk, however, this may not work. Basically, if you are on a shared server that uses plesk, you will not be able to access the php.ini and generally you're not allowed to use local php.ini files. And, on Plesk by default, magic_quotes_gpc is set to off.

To set magic_quotes_gpc, you will have to edit your vhost.conf. The vhost.conf file will need to be located in the conf directory on your site's ftp. Inside the file you will need the following...

<Directory /var/www/vhosts/>
	php_admin_flag magic_quotes_gpc on

Don't forget to change the path in the Directory directive to your server's actual path to the web directory.

Once this has been placed into the conf directory, run from the command line...

# /usr/local/psa/admin/bin/websrvmng -a -v	

Once run, the last thing you will need to do is restart apache.

# service httpd restart

On other servers there may be easier ways to do it. If you're on one of Dreamhost's servers, for example, you have in the hosting control panel the chance to do some of needed settings. If your domain is running PHP4, that has register_globals set "on" by default, and you don't need to do anything.

If from some reason you need to, you can change your domain to use PHP5, which has register_globals turned off. To do this, go to the Hosting Control Panel -> Domains -> Manage Domain screen and click the "edit" link under the "Web Hosting" column. Modify the choice of PHP to use for your domain in the provided "pull down" selector and save the changes.

After a few minutes, when the change is complete, you will be running PHP5 with register_globals "off". And you need to fix the situation using some of the above solutions.

Category: Secure Joomla