I made a list of functions which can be used in disable_functions. What do you guys have? Please post any corrections or ideas to this thread. I have modified the 1st post to include a summary of what has been going on in this thread so people do not have to read the whole thread. However reading the thread is probably helpful to get more information

Here is the summary which is also accessible from the URL below:
http://dev.yurtesen.com/content/view/30/39/
Please check the URL also as the information here might become outdated as I will primarily update the information at my pages for easy access.

Increasing PHP security via disable_functions
Written by Evren Yurtesen
Friday, 05 October 2007

There are a few functions in PHP which allows access to things that the users do not need to know or use. Disabling these can increase security.

There are many functions which can be disabled in PHP using the disable_functions php.ini setting. This setting currently only functions from php.ini so one must be careful to not to disable a function which might be needed. Below is a list of functions which I found out that can be disabled and does not interfere with many PHP software around.

disable_functions = "apache_get_modules,apache_get_version,apache_geten v,apache_note,
apache_setenv,disk_free_space,diskfreespace,dl,
highlight_file,ini_alter,ini_restore,openlog,passt hru,phpinfo,
proc_nice,shell_exec,show_source,symlink,system"

Please let me know if you find that any of these functions are needed for popular software to function.

Below are some other functions you can disable but you must use caution while doing so:

dl — Loads a PHP extension at runtime

This function is required for loading ionCube on the fly. However if you have a popular sites using ionCube then the better way is to load it from php.ini anyway. Not only because of speed increase, also you would be in control of ionCube versions so you can make sure that they match with your PHP versions.

exec — Execute an external program

This function is required for XCart. There is no good thing I can say about this function. You could perhaps use safe_mode to designate a safebin environment where you let users to execute only the binaries you allow.

fsockopen — Open Internet or Unix domain socket connection

This function is unfortunately required for Virtuemart paypal module. Thus removed from the example above. You can add it if you are sure that it wont break anything in your system.

popen — Opens process file pointer

This function is required for XCart. Similar to the exec function and can be limited by using safe_mode. Too bad that PHP developers decided to drop safe_mode in php6 :(

set_time_limit — Limits the maximum execution time

Disabling this function seems to effect gallery2. In either case a script would timeout when apache timeouts are reached which is 300 seconds by default. Thus it should be more or less safe to let this one unless the site in question is a very busy site and causing problems.
Last Updated ( Wednesday, 17 October 2007 )

we also have these:

openlog, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv

to blocking the phpinfo function, just a reminder, newer installer scripts,( I noticed it for example on the phpBB3 installer when we did the EasyApp for it) use it and decide based on the results if the installer continues or not.
So I believe that would stop your customer from doing their own install of one of these newer apps.
Maybe its a good thing though :D

Hi Evren,

Here is what I have on the mail servers: disable_functions = pack,escapeshellarg,escapeshellcmd,exec,passthru,p roc_close,proc_open,shell_exec,system,set_time_lim it,ini_alter,dl,popen,parse_ini_file,show_source
And web servers:disable_functions = system,ini_restore,symlink,fsockopenSW

Hi Evren,

Here is what I have on the mail servers:And web servers:SW

Why fsockopen ?

Thijs, perhaps because it can be used to attack remote hosts?

OK, here is what I compiled from our combined disabled functions, can you tell me why some functions I think are harmless are disabled in your systems? is there a legitimate threat or you found the list from somewhere? :)

- apache_child_terminate - this actually seems to be a useful one and not a security problem
apache_get_modules
apache_get_version
apache_getenv
apache_note
apache_setenv
+ dir - used by joomla!
disk_free_space
diskfreespace
? dl - wouldnt this be needed for loading ioncube for example?
- escapeshellarg - these are useful stuff
- escapeshellcmd - these are useful stuff
exec
fsockopen
highlight_file
ini_alter
ini_restore
ini_set - alias for ini alter, why do you have ini_alter but not ini_set ?
- leak - not in php manuals?!
openlog
- pack - why is this bad?
- parse_ini_file - this doesnt seem to be dangerous?!
passthru
phpinfo
popen
proc_close - used by webshell
proc_get_status - requires proc_open to function... no need to disable seperately
proc_nice
proc_open - used by webshell
proc_terminate - requires proc_open to function... no need to disable seperately
- readfile - I dont see how this is useful as fopen does similar thing?
set_time_limit
shell_exec
show_source - alias of highlight_file, meaningless to only disable this alone?
symlink
system
tmpfile - used by webshell and unnecessary to disable?, similar to fopen

Greetings Evren:

RE: http://www.psoft.net/HSdocumentation/sysadmin/hsphere-webshell.html

Wouldn't using Webshell 5 (only available in H-Sphere 3) solve the problem as to what needs to be enabled in PHP for Webshell?

Thank you.

Peter, I didnt like the way that webshell5 works. CGI mode?! I dont even give CGI anymore because nobody is using it anymore and it is so old technology and well security features of old CGI scripts that most people are using is not enough for current days usage.

Also, once webshell is enabled in cgi-mode, it can be accessed from each web site with this kind of url:
http://<VirtualHost>/webshell5/index2.wsh
If I want to create SSL type connections. for example now(with ws4) it works with
https://IP/webshell4/
I created an SSL certificate for * domain which can be loaded to browser. Once loaded it doesnt show up any warnings anymore and SSL can be used. How can I enable SSL for webshell5 if I was using CGI mode?

About the PHP functions, the easier solution is to just make a custom http lserver conf file and enable these functions only for webshell.

Are you using webshell in cgi mode? how did you solve the SSL problem?

Thanks,
Evren

Greetings Evren:

Good job on how you came up with an SSL solution for the non CGI mode.

How do you keep your customer lserver.conf file from being overwritten during updates?

Do you mind sharing that file?

Thank you.

Greetings Evren:
Good job on how you came up with an SSL solution for the non CGI mode.
How do you keep your customer lserver.conf file from being overwritten during updates?
Do you mind sharing that file?
Thank you.

Customer lserver.conf? what do you mean exactly? You can create a
/hsphere/local/config/httpd/lsrv.conf.tmpl.custom
file...

The thing with the certificate for * domain is that it accepts any IP/domain combination once the certificate is loaded to the browser. (you know I signed it myself so thats why it is needed to be installed to browser).

I made a diff on my lsrv.conf.tmpl.custom and lsrv.conf.tmpl file in a web server and this is what I see:

1a2,6
>
> RewriteEngine On
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
>
37a43,51
>
> <IfModule mod_php4.c>
> php_admin_flag safe_mode Off
> php_admin_value memory_limit -1
> </IfModule>
> <IfModule mod_php5.c>
> php_admin_flag safe_mode Off
> php_admin_value memory_limit -1
> </IfModule>

SSL is already activated on the web/mail servers automatically, no? I didnt
have to do anything more than just putting the certificate into the place, yeah there was a bug in psoft configurations where when you access to webshell using https you see its source code :) that is why the bottom part is there in the diff. I think this problem still exists no?

If I am wrong and it is not activated by default, I dont remember how I activated it? Can you confirm if HTTPS is enabled by default or not in web and mail servers?

By the way, direct logins to webmail/webshell and phpMyAdmin is working if you change the URLs they are forwarding to https url's. Otherwise not as I forward http requests to https and there the user info gets lost. The user coming from CP should directly connect to the https pages.

I know the info above is confusing I guess(I am confused myself as I dont remember if SSL was activated or I did something to activate it). If you have questions please ask.

Thanks,
Evren

Hi Evren:

The confusion is on my part, because I though you had a custom PHP section dealing with disabled functions just for the Webshell area (pages / directories) rather than server wide.

Thank you.

The confusion is on my part, because I though you had a custom PHP section dealing with disabled functions just for the Webshell area (pages / directories) rather than server wide.


Peter, you can still do it using lserver.conf file. Just put a php_admin_flag and override the disable_functions in there(redefine it without the offending entries). Perhaps this might work even within a <Directory DIR></Directory> section so you can localize this to webshell.

Otherwise the settings within lserver.conf would effect to everything in ~httpd/htdocs

Thanks,
Evren

Peter, thanks but can you please move it back? I put this to public part on purpose as this information is more or less useful to people who doesnt use h-sphere also. People searching for this feature of php might find this forum and accidentally learn about h-sphere etc. so it is a kind of advertisement even.

I dont see what hackers can do with this information. You yourself have a bunch of similar security info available for hackers for years :)
http://www.dynamicnet.net/customer/h-sphere/security/index.htm

Thanks,
Evren

PS. When I create some custom configurations and settings 100% compatible with h-sphere and unnecessary stuff cleaned out, I will put this information to my website for the use of public anyway.

Greetings Evren:

I deleted my posts dealing specifically with php functions since this is now moved back.

Yes, we have public instructions that constitutes approximately 60% of what can be done; but there is a lot we don't publish (not just for service reasons).

PHP function exclusions are one of them.

Thank you.

Peter, there are other sites giving out similar information on the net. As well, I collected most of the functions I listed here from that kind of sites. Anyway, thanks...

I am now testing this combination which seems to be compatible to use anywhere so far. Perhaps more functions can be added etc. but I think I will use this as a base...

disable_functions = "apache_get_modules,apache_get_version,apache_geten v,apache_note,
apache_setenv,disk_free_space,diskfreespace,dl,exe c,
highlight_file,ini_alter,ini_restore,openlog,passt hru,phpinfo,popen,
proc_nice,set_time_limit,shell_exec,show_source,sy mlink,system"


I will update this post if I find any major problems with these...

Update: (removed fsockopen())
fsockopen() is required for Virtuemart paypal payment module

Evren,

Thank you .. I have always had issues when I started implementing these. I will try these on a couple of my clusters also.

Having a clear picture of what can and cannot be disabled is a very good thing.

EDIT:: There are some spurious space's in your quote above ..

"apache_gete nv" should be "apache_getenv"

"exe c" should be "exec"

"passt hru" should be "passthru"

"sy mlink" should be "symlink"

It seems that the forum is putting those spaces in for whatever reason.

Thank You,

Francesca

Hi Evren,

One of these seems to break ioncube encoded sites .. I will narrow it down tonight when things are quieter.

At least a couple in my case. They went back to that message saying the ioncube decoder is not installed.

Francesca

Hi,

"dl" definitely breaks ioncube sites .. I missed your blurb about it up there Evren.

You are going to love this. Guess how I found it. ??

I did a google search "php disable_functions +ioncube" and LOL .. there it was from this thread right at the top. :)

This might get around it .. just load ioncube from php.ini which actually might be a better way to do it. I will play with it later.

Francesca

Yes, forum is putting spaces, I dont know why, some forums do that :) There are some of these functions in some programs like phpPgAdmin etc. but some apps continue working even if few functions are disabled so :)

ini_set() was breaking webshell4 so I removed it.

About ioncube, I checked the php manual for each of the functions and guessed dl() could cause this. You are right, it is better to load ioncube from php.ini if you have popular sites using it. I believe loading it on the fly for each request can cause performance problems...

About google, there are only few sites giving info about disable_functions. First I collected all the suggestions and then eliminated some by checking php manuals. One shouldnt trust the info on internet blindly after all :)

Thanks,
Evren

Thanks,
Evren

Evren,

You are right, it is better to load ioncube from php.ini if you have popular sites using it. I believe loading it on the fly for each request can cause performance problems...

Not to mention that at least the ioncube module we setup will be correct for PHP version. Its a nightmare going around and updating all the sites using it dynamically if one changes/updates php version.

Same goes for Zend and SourceGuardian for that matter.

Francesca

I have updated the list and removed fsockopen as it was used in Virtuemart paypal module :(

I found out that disabling set_time_limit is breaking webshell (as it timeouts) when one is deleting directories. Can anybody confirm?

Evren,

I am waiting on implementing this on a heavier loaded server. Perhaps in a day or so I can help you confirm your findings.

Francesca

Hi,

I have found that removing phpinfo is causing havoc with apps who do basic system sanity hecks. For example clientexec has a graph that shows tickets created in a month. Stupidly it requires a lookup of the GD function in PHP to work (This is beyond dumb as GD has been standard in Php for quite some time now.) and I am also getting complaints from customers saying we need to install all sorts of stuff that is installed because some helper page uses phpinfo to verify modules needed.

Some day someone should smack some of these developers out of the lazy coding techniques they use.

Francesca

I am waiting on implementing this on a heavier loaded server. Perhaps in a day or so I can help you confirm your findings.


I tried this on a server which had load around 0.1 and yet even deleting an empty directory takes more than 30 seconds (the default time limit).

I guess you can just test this easily. I will try to test it on another cluster later.

Thanks,
Evren

Evren,

I tried this on a server which had load around 0.1 and yet even deleting an empty directory takes more than 30 seconds (the default time limit).

I meant with more users than what I started with for my pilot test.

Francesca

Hi,

set_time_limit()

The above seems to create problems with gallery2.

Francesca

Thanks Francesca...

I updated the list in my web pages:
http://dev.yurtesen.com/content/view/30/39/

Also I think letting set_time_limit() can be ok as whatever one sets, usually this gets stuck to apache time limit which is 300seconds unless some data transfer is going on (in that case things shouldnt timeout anyway).

Evren,

XCart is becoming a PITA to support.

It requires "exec,popen" not to be disabled.

http://www.x-cart.com/cart_system_requirements.html

Where do they find these programmers at who code up these things. ?

Francesca

I updated my page. Also as a note, you can use safe_mode and safe_mode_exec_dir to limit the binaries which can be run/executed by these functions to a safebin environment. I am using safe_mode on my FreeBSD boxes without any problems. (joomla etc. are working)

It is truly sad that safe_mode will be removed from php6 because it was such a nice feature :(

Hi,

safe_mode, open_basedir, etc all can be bypassed easily and this is why I think the PHP developers decided to get rid of atleast safe_mode. While we are talking about ways these security tools can lead to a false sense of security, if anyone has ioncube installed on their server, the current version is currently vulnerable which allows open_basedir restrictions to be bypassed. :( I haven't seen an update released by ioncube folks.

SW

Steve, that is totally unfair to say. All the software has bugs which sometimes allow people to do things they are not suppose to :) I mean, are you saying that there is currently a bug about open_basedir so it must be removed from PHP too? Does that sound logical at all? if all the features which sometimes had bugs were to be removed we wouldnt have any software left at all :)

About safe_mode, I think what php developers mean by false sense of security is not what you understand. They mean that people think safe_mode is enough for securing the php installations because it is called safe_mode without questioning if they should even use open_basedir or suexec. Think about a noob seeing open_basedir, he would think 'why would I want to open my basedir? i have safe mode which makes things safe' lol there you go, false sense of security :) It doesnt mean that safe_mode is doing nothing. It seems like we have to suffer for the misunderstandings of others.

About safe_mode, I would like to see hard proof that you can actually circumvent my safe_mode settings. Do you know a way of doing that or you heard from somebody who heard from somebody that it can be done? Dont take it wrong, I always like to double check the facts even if the information comes from a very trustworthy source.

Also, I am not saying that safe_mode and open_basedir is enough. Sure it would be great if they could be used with suexec. They would become 3 musketeers of php... But currently it is impossible. I wish it was. FastCGI is another story, you get something and you lose something, I am sure you read the other threads.

Greetings Evren:

Agreed. Security must be in layers in order to be effective; furthermore, the effectiveness of each layer must be investigated over time, and modifications made as necessary.

Thank you.

I would prefer a solution where virtualhosts can automatically be served by http processes running as the user. Not a solution where fastcgi is running a user, then it runs the php etc.

However all the solutions implementing this scheme is incomplete so far. For example apache perchild mpm module, or other modules doing similar things. This is a deficiency of apache itself.

disable_functions = "apache_get_modules,apache_get_version,apache_gete nv,apache_note,
apache_setenv,disk_free_space,diskfreespace,dl,exe c,
highlight_file,ini_alter,ini_restore,openlog,passt hru,phpinfo,popen,
proc_nice,set_time_limit,shell_exec,show_source,sy mlink,system"

Anything to add or remove? :)

Been playing around with PHP settings a bit the past few days. popen is used by a few apps including some payment processors, ecommerce apps and some photo albums.

Cheers,

Ray

Ray, thanks. I already covered this in my pages
http://dev.yurtesen.com/content/view/30/39/
I keep a summary there because it is difficult to browse through all the messages here :)
For example you seem to have missed Francesca's post :)
http://forum.psoft.net/showpost.php?p=121029&postcount=30

Ray, thanks. I already covered this in my pages
http://dev.yurtesen.com/content/view/30/39/
I keep a summary there because it is difficult to browse through all the messages here :)
For example you seem to have missed Francesca's post :)
http://forum.psoft.net/showpost.php?p=121029&postcount=30

Both of which comments pretty much make it a waste of time to comment on these threads.

Cheers,

Ray

Well, it is difficult to make a short thread or quick summary as threads become long when people do send more info. Sure enough, making comments to the thread is useful as I read the comments and update the summary at my pages as well as people who read the whole thread can get the basic info too. Do you have a better idea?

Hi Evren:

Probably just posting to this page whenever http://dev.yurtesen.com/content/view/30/39/ is updated.

Just a thought.

Thank you.

Peter,

He did post that it was updated and has every time. Now responding or having a conversation in a thread is going to happen and forums are not a great way to document anything as they are hard to wade through at times.

Perhaps we should just have external links someplace to security resources and tips and tricks. Or just use a blog someplace with moderated comments to protect the original content.

But I have found this thread to be very helpful myself. But I can see where people get upset at having to read all sorts of non needed comments and opinions.

Yes even this post is not needed and has to be waded through. But I feel like I need to stick up for Evren here. And not drive anyone away who might actually publish security steps rather than talk about them.

Francesca

Peter,

Greetings Francesca:

Huh? Did you not have your coffee this morning?

Evren is extremely capable; and rarely does he let his emotions go into rants and raves.

That stated, I just recommended he update the thread with a new post rather than update the comments a page or more (currently one page) back.

Thank you.

Now that you deleted the message you posted. My post was NOT a rant or a RAVE. I was just saying that someone here is posting helpful stuff rather than trying to sell people on what they choose to keep secret and he can post as he wants.

Now it does seem like name calling as you are doing is what .. oh yah ..

Ranting and Raving.

Just you choose to be sneaky about it. Now if you have something helpful to post here by all means do so. But I think we can live without your telling us how to post. As you rarely listen to anyone being critical of your posts.

This post on page one by Peter illustrates my point.

Greetings Evren:

I deleted my posts dealing specifically with php functions since this is now moved back.

Yes, we have public instructions that constitutes approximately 60% of what can be done; but there is a lot we don't publish (not just for service reasons).

PHP function exclusions are one of them.

Thank you.

Francesca

Greetings Francesca:

"I was just saying that someone here is posting helpful stuff"

And no one stated anything any different.

If you look at my post prior to your rants, raves, and drama you will see I only gave the suggestion of updating this thread anytime http://dev.yurtesen.com/content/view/30/39/ is updated.

Thank you.

Peter,

If you look at my post prior to your rants, raves, and drama you will see I only gave the suggestion of updating this thread anytime

Ever consider there would be a lot less of this if you would keep your unneeded opinions to yourself sometimes.

In a word just shut up and spare us your holier than thou BS.

Francesca

PS: I am sorry you look at threads like this as a threat to your top secret overpriced hardening services. Because it sure hit a nerve with you bringing it up.

Extraneous comment alert! Feel free to move along ...

I read the comments and update the summary at my pages as well as people who read the whole thread can get the basic info too. Do you have a better idea?

Yes. Don't expect people to check your site before posting to this site. And don't post gratuitous comments, e.g., "you seem to have missed Francesca's post". I didn't miss it. I simply added some additional information, minor as it may have been.

it is difficult ... when people do send more info

Well, then stop reading it. :rolleyes:

I just got a chuckle out of you complaining about thread getting too long while making a post that pretty much contributes to the thread getting too long. ;)

Cheers,

Ray

Hi,

I am just wondering what would happen if everyone would quit posting or helping anyone here. We could just let the spammers and marketing types take over.

Ray are you saying you see no value in this thread. ?? Something that people here posting took the time to post and work on. I guess we could all keep our comments to ourselves and then sell them to people in need if everyone is going to complain about how a forum sucks as a tool to post information ??

Forums suck as a tool to post technical information. Its a known fact and its not going to change as us Drama Queen , Ranting , Raving lunatics know. :)

Francesca

I wonder why every thread I start turns out like this nowadays lol :) I have updated the first post with the content from the page. I will try to keep it updated as required. I also put a notice that the most updated version can be found in the URL. This would probably help in avoiding some misunderstandings.


Perhaps we should just have external links someplace to security resources and tips and tricks. Or just use a blog someplace with moderated comments to protect the original content.

This is an excellent idea. I am willing to contribute on such project if it is created. We can give full editing access to people we trust and moderated posting access to other people. I myself use Joomla and it gives good options but if you guys have a better idea. I didnt use any other programs so :) I can register a neutral domain name and we can put up some content management system and start up.

I would give up my site and contents and allow change the name and url but the problem is with the crappy banners and google ads and I wouldnt have a site anymore at all :( . I am now thinking about this possibility actually. It just feels like I would be giving away too much when other people only share 60% of what they are doing :) I would be giving away 120% if I donate everything to public including my own site, call me egoist if you want to :)

Also, joomla might not be the best software out for this purpose. Lets say if one can make a good suggestion I can give up the site or even help in manually move all the content to a new CMS at a neutral location and continue updating at the new pages when I do update things.

Please let me know what you think?

Thanks,
Evren

Evren,

I think a well moderated wiki would do. Someone would have to edit the posts and put them together in a harmonious way.

just feels like I would be giving away too much when other people only share 60% of what they are doing

I think it was down to 40% recently. :) Must be competition or something causing the turtling. Lets make a pledge to post 100% of our steps we do for our customers. Heck I happen to think personally I offer enough value in intangible ways to not worry that people can see what I put together actually from a bunch of google lookups. Knowledge should be shared as lockin is never a good thing.

Francesca

Greetings Francesca:

people can see what I put together actually from a bunch of google lookups.

Francesca

I'm not sure why you are calling our hardening service overpriced as most of our prices are less expensive than your own; and most of our work is custom developed rather than googled and patched together.

I'm glad Evren posted what he did by himself through his skills; and I'm glad there are some people, who drama a lot, who are not in control of what others do and do not post.

Thank you.

Peter,

I'm not sure why you are calling our hardening service overpriced as most of our prices are less expensive than your own;

You know nothing of what I do for my customers for what I charge. I only know what some of your customers tell me after they come over my way.

Anyhow .. are you done yet .. ?? Seems like you are being dramatic here a lot yourself .. But far be it for you to ever do self introspection. Just a lot of LOOK at me I am the strategic partner for all who is God Blessed.

Francesca

Greetings Francesca:

I'm glad you are happy that we recommend your services to those of our customers who need something we are not currently providing.

Now, let's move on back to the thread rather than the drama you started; and unfortunately I fell into.

Thank you.

Peter,

I'm glad you are happy that we recommend your services to those of our customers who need something we are not currently providing.


You once again don't know even 1/2 the truth here. You could have just kept your condescending inaccurate opinions to yourself and bingo .. no drama.

I know that I don't post in threads about what I am keeping from people. That is drama I think and you have been doing this now for years and not listening to many people who wish you would just answer a post with a answer and not a hidden/sneaky advert for what you do.

Francesca

Hi, Francesca,

Ray are you saying you see no value in this thread. ??

Quite the contrary! Though, it sounds to me as if that is what Evren is saying.

I was merely adding a comment about considering additional apps (in addition to the one you rightly pointed out: X-Cart) in case popen bites somebody else. (It did for me with a gallery that I didn't expect to use popen.) I found Evren's comments to be a bit obtuse considering he asked the question 'what else?' initially.

Didn't mean to open a can of worms, though.

Cheers,

Ray

Forums suck as a tool to post technical information.

I thought somebody mentioned starting a Wiki at some point. That might be a nice, happy-medium. If it was used (limited to) technical information, tech tips, how-tos, etc., it might be very useful.

For example, the excellent information that many maintain on various resources (such as Evren's fine site) would be useful in a community setting.

I haven't pulled the trigger on PHP5, yet, but I would donate some space after the first of the year if there is enough interest to make this work.

Cheers,

Ray

Ray,

I think some things were getting lost in forum translation. I was just getting clarification. I know you know a lot about this stuff of course and you help out here a lot not just for yourself.

Francesca

Ray, what I meant was that I made a summary of the thread at my web site for people who doesnt have time or patience to read the whole thread. To not to start another discussion, I dont mean anybody here do not have time or patience :) Thread is of course useful as it has the link to the summary and also people's comments which lead to the summary. Also I copy/pasted the summary to the 1st post now so people wont even need to go to check my site. But of course I cant keep up both places synched forever.

To avoid further misunderstandings. I want to remind that my site is not a site where I present commercial solutions that I provide. I am not putting the link to there because I want people to buy something from me or not for them to see my services. The only thing really commercial there is the google ads and well, let me have that much, I am freely publishing my works and information gathered and summarized, for example from this thread (thanks to Hplugins, ladylinux, stevewest15 and others).

Anyway, about the site. I can sponsor it right away. Anyway, I am sure you guys have realized that I am using Joomla. Do you know a better CMS to manage such a site? Also a good domain to register (although dont post here you can pm)? I checked hsphere.info but somebody has it already :D I can just buy the domain and arrange a site and start moving content there from my site.

Greetings Evren:

On http://dev.yurtesen.com/content/view/30/39/ please note that Horde's spell check feature needs "exec".

Thank you.

Thanks, I updated the page...