Davyc Posted April 23, 2021 Posted April 23, 2021 (edited) 1 hour ago, CoffeeCake said: I cannot even begin to imagine a legitimate use for any of those functions--they all surround running server-side executables. /summon Kier. What the heck? I'll see if I can replicate the error. See below: As for using the IPS CIC - way too expensive for me, I could do Nimbus hosting for the same price without the restrictions. I'll wait until I see what the modified CIC packages will be like once they come online. Thanks for the advice about using a VPS - I can drive a car (not allowed to drive now for medical reasons, which is a PITA) but not a plane - always wanted to fly a helicopter, would that count if I ever got around to it lol? I fully believe a managed system would be better for me as I'm too old to get involved with learning the in's and out's of a VPS, I am intrigued though 🙂 Edited April 23, 2021 by Davyc
Linux-Is-Best Posted April 23, 2021 Posted April 23, 2021 KnownHost is fully managed, and they can be a pickle when it comes to security (their mod security setting were so high, I asked them to disable them on my account). They may be a little more pricey, depending on which plan you feel you require, but they are dependable. If you need a fully managed provider and wish to be fully secure, I would suggest them @AlienOrigins and @Davyc
CoffeeCake Posted April 23, 2021 Posted April 23, 2021 1 hour ago, Davyc said: I'll see if I can replicate the error. That's the library, Swiftmailer: https://github.com/swiftmailer/swiftmailer/blob/master/lib/classes/Swift/Transport/StreamBuffer.php Perhaps there's a configuration option that stops stupid mode? https://xenforo.com/docs/xf2/options/#transport-configuration My guess is you're using SMTP. Do you get the error with PHP built in mail (which presumably uses mail()).
Davyc Posted April 23, 2021 Posted April 23, 2021 11 minutes ago, CoffeeCake said: My guess is you're using SMTP. Do you get the error with PHP built in mail (which presumably uses mail()). Nope not using SMTP using the built-in method - see below: Not to worry though, I just removed the php.ini file and the system went on it's merry way. 1 hour ago, Linux-Is-Best said: KnownHost is fully managed, and they can be a pickle when it comes to security I checked them out and I can get Nimbus for roughly the same price and it's UK based, as am I, with a little more movement on features. I've used Nimbus in the past and they are really good and very professional, hence 'expensive' - at least for me they are when you're on your pension lol. I never thought I'd be saying I'm an OAP lol, but here I am. Linux-Is-Best 1
Linux-Is-Best Posted April 23, 2021 Posted April 23, 2021 5 minutes ago, Davyc said: I checked them out and I can get Nimbus for roughly the same price and it's UK based, as am I, with a little more movement on features. I've used Nimbus in the past and they are really good and very professional, hence 'expensive' - at least for me they are when you're on your pension lol. I never thought I'd be saying I'm an OAP lol, but here I am. There is no shame in that at all. You worked hard, contributed to society as a productive member, and now have earned the right to your joyful retirement. If I recall correctly (from memory), your forum is a personal joy (hobby) you enjoy tinkering with. I hope you go on to enjoying your community for years to come, and while your goal may not be to attract members far and wide, I do wish you success. Finding a hosting provider you are happy with, in the long run, is all that matters. If Nimbus fulfills your needs, even if they are a bit costly and you're happy with their service, perhaps they are the right host for you. But should you in the future wish to see affordable alternatives, I am sure there are many people here who can give you some suggestions (canspace.ca and hostxnow.com both come to mind). Cheers, Davyc 😀 Davyc 1
CoffeeCake Posted April 23, 2021 Posted April 23, 2021 2 hours ago, Davyc said: Nope not using SMTP using the built-in method - see below: Hmm. Perhaps the other (SMTP) setting switches it to socket mode, which would bypass the proc_open() and _close() call. Odd.
CoffeeCake Posted April 23, 2021 Posted April 23, 2021 4 hours ago, Davyc said: I could do Nimbus hosting for the same price without the restrictions. Looking at this link, this is a great example where you can save a lot of money by going with something like AWS. Their Lightsail offering is simplified VPS. Compared to that Nimbus plan you linked to, you could have a better provisioned VPS at $40/month (at least US pricing--you'll need do work out the conversion to Prussian Francs). You can have your instance in Frankfurt, Ireland, London, or Paris if you need something based in Europe. That would give you 8GB RAM, 2 core processors, 160 GB SSD storage, and 5 TB transfer, well exceeding the allocations for the Nimbus plan you linked to at $105/month. You'd be able to add CDN at free or very low cost, and could even choose to maintain a separate fully maintained database instance and still come out under what you'd be paying Nimbus. https://aws.amazon.com/lightsail/pricing/ IPS' cloud is using AWS. I'm sure Jordan's prodding about EU based servers simply means they'd put some instances in those European regions if the interest was worth the bother. Davyc 1
Restricted Content Posted April 24, 2021 Author Posted April 24, 2021 (edited) On 4/22/2021 at 9:40 PM, CoffeeCake said: Those functions are rarely needed and very dangerous. You are putting electrical tape over the check engine light on your car, and then complaining that the light is the defect instead of the oil leak. Or putting the anal probe directly into the interstellar mouth socket. One of those. Installing some other software on the same server is not resolving your problem. Other software may not do you the courtesy of warning you that there is a problem, but the problem is global to all PHP based applications. You seem to think because your other car doesn't come equipped with air bags that a new one with air bags obviously has a terrible defect that makes it crash spontaneously into walls. So you'll drive the old one because that's safer.... Not putting electrical tape on anything.. Installing other SOFTWARE works well because IPB is the ONLY ONE where I get that issue! No problem with anything but IPB...And you want to make analogies? What if one car as a 5.7 liter engine and the other is a 1.8 liter does that mean because the 1.8 is smaller that it cannot do 60mph down the interstate? Forum software is like cars you get a bad one in all of them....Does this issue mean that IPB is bad? No...But it also does not correct itself even after my host corrects the problem on the. server it comes back!!!!!!!! Either way the thread is a moot point because I took the software down and off the server... Edited April 24, 2021 by AlienOrigins
Square Wheels Posted May 1, 2021 Posted May 1, 2021 I had my host turn these off for me (I have a VPN, but I'm not smart enough to do it on my own). I have a newsletter app on the same server that can do auto updates. They stopped working because I turned off exec. How dangerous is it to have that one turned back on, and what could happen? Thank you
Restricted Content Posted May 1, 2021 Author Posted May 1, 2021 10 hours ago, Square Wheels said: I had my host turn these off for me (I have a VPN, but I'm not smart enough to do it on my own). I have a newsletter app on the same server that can do auto updates. They stopped working because I turned off exec. How dangerous is it to have that one turned back on, and what could happen? Thank you Quote How dangerous is it to have that one turned back on, and what could happen? LoL...And the sound of crickets.....What does that tell you dude?
Linux-Is-Best Posted May 2, 2021 Posted May 2, 2021 (edited) 3 hours ago, AlienOrigins said: And the sound of crickets.....What does that tell you dude? It tells me that a support question with 2 pages worth of post, over a week old, is likely already answered and may go unnoticed. If you were trying to suggest that the lack of a speedy reply was a guaranteed method to detect how vital something is or not, that would be a poor choice of judgment. Especially considering this is all happening on the weekend evening (Saturday, evening) when most folks are not keeping business hours. The comment you are addressing was posted on a Friday evening when most people have "punched out" for the weekend. But I digress. Just because someone has not rushed to provide a detailed explanation (in your presumed time frame) does not imply anything is safe or not. Respectfully, @Square Wheels, I would not take @AlienOrigins seriously concerning this matter. He/she started this thread expecting people to read his/her mind (not even explaining what the issue was). When folks pointed out that this warning was by design, for your protection, he/she basically said he/she does not care. As a rule of thumb @Square Wheels you should avoid exposing your site to anything that could cause it harm. Keeping your site safe is not going to hinder your usage. My test site has 13 different developments, for example (domaintaken.org), and everything works. I do not need to make my site less secure to have things function. Anyone telling you not to worry about security, in general, I do not believe has your best interest in mind. Edited May 2, 2021 by Linux-Is-Best clarity Square Wheels 1
Restricted Content Posted May 2, 2021 Author Posted May 2, 2021 10 hours ago, Linux-Is-Best said: It tells me that a support question with 2 pages worth of post, over a week old, is likely already answered and may go unnoticed. If you were trying to suggest that the lack of a speedy reply was a guaranteed method to detect how vital something is or not, that would be a poor choice of judgment. Especially considering this is all happening on the weekend evening (Saturday, evening) when most folks are not keeping business hours. The comment you are addressing was posted on a Friday evening when most people have "punched out" for the weekend. But I digress. Just because someone has not rushed to provide a detailed explanation (in your presumed time frame) does not imply anything is safe or not. Respectfully, @Square Wheels, I would not take @AlienOrigins seriously concerning this matter. He/she started this thread expecting people to read his/her mind (not even explaining what the issue was). When folks pointed out that this warning was by design, for your protection, he/she basically said he/she does not care. As a rule of thumb @Square Wheels you should avoid exposing your site to anything that could cause it harm. Keeping your site safe is not going to hinder your usage. My test site has 13 different developments, for example (domaintaken.org), and everything works. I do not need to make my site less secure to have things function. Anyone telling you not to worry about security, in general, I do not believe has your best interest in mind. Quote It tells me that a support question with 2 pages worth of post, over a week old, is likely already answered and may go unnoticed. No its not answered....Never has been answered. I have as of yet to get a direct satisfactory answer to this. So I quit trying as of this thread. And the reason I no longer use the software, that and having to deal with that dumb ass Namecheap hosting.
Square Wheels Posted May 2, 2021 Posted May 2, 2021 15 minutes ago, AlienOrigins said: No its not answered....Never has been answered. I have as of yet to get a direct satisfactory answer to this. So I quit trying as of this thread. And the reason I no longer use the software, that and having to deal with that dumb ass Namecheap hosting. I searched a little and didn't understand the responses as I am not a developer, software designer, or server manager. I am a site hobbyist. My host gave me this answer. The PHP module 'exec' is used to Execute an external program. This function is suggested to be disabled unless it is needed on the off chance that code gets updated to the domain a PHP script with 'exec' included could then execute malicious commands to the server. It is up to you if you would like to have this enabled for PHP on the server. I decided to leave the "dangerous" functions turned off.
opentype Posted May 2, 2021 Posted May 2, 2021 It’s a community forum. Official IPS support is only guaranteed through support tickets. So all answers here are purely voluntary and a favour of other Invision Community users. We will decide if it’s worth our time to answer and we also might consider HOW the questions is asked. The tone on of certain people here might not be all that motivating to give helpful answers. But anyway: In the end, all of these functions are possible attack vectors. For potential attackers (just like potential burglars) its usually a case of “once you’re in, you’re in”. There is nothing specific that happens, when you leave your backdoor open and there is nothing specific that happens to have these commands active. But IF they are being used in a malicious way, then the results are potentially very serious. Essentially, your server can be taken over and used for all kinds of bad things. So if your site doesn’t need those functions anyway, it’s best to have them disabled. It’s highly appreciated that IPS has a warning function for that. Miss_B, Square Wheels, Linux-Is-Best and 2 others 5
Steph40 Posted September 11, 2021 Posted September 11, 2021 WOW I'm going to make pop corn before I read those 2 pages of entertainment. Adriano Faria 1
Recommended Posts