Opened 4 years ago

Closed 4 years ago

#1753 closed Bug (fixed)

Plugin SecurityInfo shows wrong result for Suhosin Extension

Reported by: RennerChristian Owned by:
Priority: normal Milestone: Piwik 1.1
Component: Core Keywords: feedback
Cc: Sensitive: no

Description

I'm running Piwik 1.0 with FastCgi on a Debian Lenny system.

The SecurityInfo-Plugin says:
1) You are not running PHP with the Suhosin extension loaded. We recommend both the patch and extension for low- and high-level protections including transparent cookie encryption and remote inclusion vulnerabilities.

2) You are not running PHP with the Suhosin patch applied. We recommend both the patch and extension for low- and high-level protections against (for example) buffer overflows and format string vulnerabilities.

The php tells me:
/usr/bin/php5-cgi --version
PHP 5.2.6-1+lenny9 with Suhosin-Patch 0.9.6.2 (cgi-fcgi) (built: Aug 4 2010 05:59:13)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

Same message when calling phpinfo in the piwik dir.

Change History (3)

comment:1 Changed 4 years ago by vipsoft (robocoder)

  • Keywords feedback added
  • Milestone set to 1.1 - Piwik 1.1

Perhaps the web server is using a different php binary?

Try again with this script:

<?php
print_r(get_loaded_extensions()); // this should contain "suhosin" if you have the Suhosin extension
print_r(get_defined_constants()); // this should contain SUHOSIN_PATCH if the Suhosin patch was applied

comment:2 Changed 4 years ago by RennerChristian

1)
$exts = get_loaded_extensions(); $exts dont contain "suhosin"

2)
$constants = get_defined_constants(); $constantsSUHOSIN_PATCH? = 1, $constantsSUHOSIN_PATCH? = 0.9.6.2

According to this the opened bug can be closed by 50%. It seems that the extension is not loaded and therefore the notice about the extension is correct.
But the notice about the patch shouldnt be given.

comment:3 Changed 4 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

(In [3237]) fixes #1753, refs #1310 - get_defined_constants(false) is broken prior to php 5.2.11

Note: See TracTickets for help on using tickets.