I'm running Piwik 1.0 with FastCgi on a Debian Lenny system.
The SecurityInfo-Plugin says:
1) You are not running PHP with the Suhosin extension loaded. We recommend both the patch and extension for low- and high-level protections including transparent cookie encryption and remote inclusion vulnerabilities.
2) You are not running PHP with the Suhosin patch applied. We recommend both the patch and extension for low- and high-level protections against (for example) buffer overflows and format string vulnerabilities.
The php tells me:
PHP 5.2.6-1+lenny9 with Suhosin-Patch 0.9.6.2 (cgi-fcgi) (built: Aug 4 2010 05:59:13)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
Same message when calling phpinfo in the piwik dir.
Perhaps the web server is using a different php binary?
Try again with this script:
print_r(get_loaded_extensions()); // this should contain "suhosin" if you have the Suhosin extension
print_r(get_defined_constants()); // this should contain SUHOSIN_PATCH if the Suhosin patch was applied
$exts = get_loaded_extensions(); // $exts dont contain "suhosin"
$constants = get_defined_constants(); // $constants[= 1, $constants'SUHOSIN_PATCH' = 0.9.6.2
According to this the opened bug can be closed by 50%. It seems that the extension is not loaded and therefore the notice about the extension is correct.
But the notice about the patch shouldnt be given.
(In ) fixes #1753, refs #1310 - get_defined_constants(false) is broken prior to php 5.2.11