PHP Safe Mode enabled?

[usdigital]

Following EUKhost's decision to disable PHPMail in order to contain their increasing security problems, they have now pressed ahead with another measure, but this time without informing their customers.

After watching several of my CMS websites throw up warning messages this morning (I have reseller hosting, around 40+ websites), as of 4th August 2011 it seems PHP Safe Mode has been enabled across accounts by default. Has anyone else noticed this?

I have discussed with a support member on the live chat as to why/when it was enabled and how I can turn it off, and the frankly pathetic response I got was the at I can disable myself manually by modifying the php.ini file on the server, or send a ticket support request to have it done for me!

The question has to be asked - why on earth are EUKhost dumping yet more development work on their customers following the PHPMail fiasco? Was their decision to enable this feature without informing customers because they simply do not realise the effects it can have, or is it just wilful disdain?

I am no security or server expert by any stretch of the imagination, but a quick look around easily shows that PHP Safe Mode is absolutely not an advisable solution anyway, and is in fact deprecated from the latest versions of PHP.

I would appreciate some clarification from EUKhost on the issue at least, and would like to know if they will consider reversing this decision.

Not happy

[Cristiano]

Following EUKhost's decision to disable PHPMail in order to contain their increasing security problems, they have now pressed ahead with another measure, but this time without informing their customers.

After watching several of my CMS websites throw up warning messages this morning (I have reseller hosting, around 40+ websites), as of 4th August 2011 it seems PHP Safe Mode has been enabled across accounts by default. Has anyone else noticed this?

I have discussed with a support member on the live chat as to why/when it was enabled and how I can turn it off, and the frankly pathetic response I got was the at I can disable myself manually by modifying the php.ini file on the server, or send a ticket support request to have it done for me!

The question has to be asked - why on earth are EUKhost dumping yet more development work on their customers following the PHPMail fiasco? Was their decision to enable this feature without informing customers because they simply do not realise the effects it can have, or is it just wilful disdain?

I am no security or server expert by any stretch of the imagination, but a quick look around easily shows that PHP Safe Mode is absolutely not an advisable solution anyway, and is in fact deprecated from the latest versions of PHP.

I would appreciate some clarification from EUKhost on the issue at least, and would like to know if they will consider reversing this decision.

Not happy

I am not able to locate your account with the email address you have registered on forums. Gimme the domain name OR the server IP on which your websites are hosted. I will have a check & inform further updates in the same thread.

[usdigital]

I am not able to locate your account with the email address you have registered on forums. Gimme the domain name OR the server IP on which your websites are hosted. I will have a check & inform further updates in the same thread.

Thanks, you have a PM.

[Cristiano]

Thanks, you have a PM.

I have replied your PM explaining as to what has had happened. Your understanding and patience is much appreciated.

[Bud Boy]

I am no security or server expert by any stretch of the imagination, but a quick look around easily shows that PHP Safe Mode is absolutely not an advisable solution anyway, and is in fact deprecated from the latest versions of PHP.

I would appreciate some clarification from EUKhost on the issue at least, and would like to know if they will consider reversing this decision.

Not happy

This is also creating me many problems (not least that I'm no coding expert!). It's taken me years to develop some sites and gain customers' confidence and now I have to recode and test - for what real purpose?

I would also appreciate an answer to usdigital's questions please....

[Cristiano]

This is also creating me many problems (not least that I'm no coding expert!). It's taken me years to develop some sites and gain customers' confidence and now I have to recode and test - for what real purpose?

I would also appreciate an answer to usdigital's questions please....

Hi David. I have replied the thread you have opened. Refer PHP Mail once.

[Bud Boy]

The question has to be asked - why on earth are EUKhost dumping yet more development work on their customers following the PHPMail fiasco? Was their decision to enable this feature without informing customers because they simply do not realise the effects it can have, or is it just wilful disdain?

I am no security or server expert by any stretch of the imagination, but a quick look around easily shows that PHP Safe Mode is absolutely not an advisable solution anyway, and is in fact deprecated from the latest versions of PHP.

I would appreciate some clarification from EUKhost on the issue at least, and would like to know if they will consider reversing this decision.

Not happy

Thanks Christiano but I'm sure you haven't missed the fact that this thread is asking for answers to totally different questions from my other thread.

My other thread (http://www.eukhost.com/forums/f34/ph...enabled-14984/) simply asks for assitance on how to deal with this change.

This thread is questioning the logic and reasoning behind the decision.

- It's different, both of which I would be grateful for a full explanation -

Cheers

[Cristiano]

This thread is questioning the logic and reasoning behind the decision.

Hi David.. We have already sent an explanation as to why we took this decision of disabling php mail function. Email with subject Security Update :: php mail function disabled has been sent on your primary email address with us.

[Bud Boy]

Yeah OK - but that doesn't answer the questions raised above

Just the usual

[harishwebs]

Enabling safe_mode is not needed if other reasonable security precautions are followed. Using safe_mode for web site security is a poor compromise in a bad situation. It may make sense in some situations, but there is almost always a better way. Because safe_mode in some sense only gives the illusion of safety, it will be removed from PHP starting with version 5.3.0.

The Joomla! core works fine with or without PHP safe_mode. The one exception to this rule is the installation script. This is because safe_mode, by design, turns off the PHP functions that enable easy uploading via a Web browser. If you do use safe_mode, and need to perform installs via the Web browser, temporarily turn safe_mode OFF, and turn it back ON when finished.

Some third-party extensions may require the specific PHP functions that are blocked by safe_mode. Such extensions should be carefully evaluated to be sure you understand exactly why they require such powerful and potentially dangerous functions.


Harish Rawat
CoreItDevelopers