Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Plugin SecurityInfo shows wrong result for Suhosin Extension #1753

anonymous-piwik-user opened this Issue · 3 comments

2 participants

Anonymous Piwik user Anthon Pang
Anonymous Piwik user

I'm running Piwik 1.0 with FastCgi on a Debian Lenny system.

The SecurityInfo-Plugin says:
1) You are not running PHP with the Suhosin extension loaded. We recommend both the patch and extension for low- and high-level protections including transparent cookie encryption and remote inclusion vulnerabilities.

2) You are not running PHP with the Suhosin patch applied. We recommend both the patch and extension for low- and high-level protections against (for example) buffer overflows and format string vulnerabilities.

The php tells me:
/usr/bin/php5-cgi --version
PHP 5.2.6-1+lenny9 with Suhosin-Patch (cgi-fcgi) (built: Aug 4 2010 05:59:13)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

Same message when calling phpinfo in the piwik dir.
Keywords: feedback

Anthon Pang

Perhaps the web server is using a different php binary?

Try again with this script:

print_r(get_loaded_extensions()); // this should contain "suhosin" if you have the Suhosin extension
print_r(get_defined_constants()); // this should contain SUHOSIN_PATCH if the Suhosin patch was applied
Anonymous Piwik user

$exts = get_loaded_extensions(); // $exts dont contain "suhosin"

$constants = get_defined_constants(); // $constants[= 1, $constants'SUHOSIN_PATCH' =

According to this the opened bug can be closed by 50%. It seems that the extension is not loaded and therefore the notice about the extension is correct.
But the notice about the patch shouldnt be given.

Anthon Pang

(In [3237]) fixes #1753, refs #1310 - get_defined_constants(false) is broken prior to php 5.2.11

Anonymous Piwik user anonymous-piwik-user added this to the Piwik 1.1 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.