Adam’s Blog

We would like to inform you and the contacts on your account of a
change we will be making soon to our (gs) Grid-Service platform.  To further
strengthen security for our clients, we will be making a global change
to the PHP environment.  This change will help considerably in
stopping your site(s) from being compromised, as well as help thwart the
unauthorized use of our servers for abusive or malicious purposes.

BACKGROUND:

There is a parameter for php called ‘allow_url_fopen’ that is currently
enabled in both our PHP4 and PHP5 environments.  If the proper
precautions are not taken in PHP a large number of code injection
vulnerabilities frequently reported in PHP-based web applications are possible.  We
understand that our customers install a great number of PHP-driven
applications, many of them from the open-source community.  Unfortunately
a great number of them can potentially fall prey to these
vulnerabilities.  As a company the best that we can do in a shared environment is to
provide sane global defaults that protect the majority of our customer
base. This pro-active change is in the best interest of our entire
customer base using our (gs) Grid-Service.

CHANGE:

Starting on 01/18/08, and continuing for several more days, we will
begin disabling ‘allow_url_fopen’ across all of our clusters on the (gs)
platform.  This will be a permanent change.

PREPARATION/WORKAROUND:

In preparation for the pending change you can determine now whether
your site will function with our new defaults.  We have created a
KnowledgeBase article at http://kb.mediatemple.net/article.php?id=793 that
details how you can disable ‘allow_url_fopen’ now to check for any
incompatibilities.  The process is very straightforward; include the following
line in your php.ini file at /home/####/etc/php.ini (replace #### with
your site number)

allow_url_fopen = Off

This will give you a PHP environment identical to the one we will be
changing to on January 18th.  We strongly encourage you to thoroughly
test your sites to ensure compatibility.  If the change has no impact you
will not have to worry.  You can freely remove the line above or keep
it.

Should you come across errors directly related to this change you can
simply modify the flag to ‘On’ which will be honored post-change as
well:

allow_url_fopen = On

With this particular change your setting in php.ini will always be
honored regardless of the global values.  With that in mind we would highly
suggest further researching and examining aspects of your site that
depend on this functionality to see if a safer method can be used
instead.  If this software was obtained from a 3rd party we would suggest
contacting their developer.

Once again we will be making this rolling change to our servers
starting on 01/18/08.  If you need clarification of this change, or require
assistance with updating your php.ini, please feel free to open a Support
Request in your AccountCenter or by calling us toll-free at
(877)578-4000 at any time. 

Thank you for your cooperation and understanding.

Regards,

(mt) Media Temple, Inc
Hosting Operations
8520 National Blvd.
Building A
Culver City, CA 90232

<24/7 toll-free>: 877-578-4000
<24/7 international>: +1-310-841-5500
www.mediatemple.net