PHP Security


#1

Thank you for taking the time to read my post. Your response is truly appreciated.

I recently installed Piwik via the Goodies. I went through the plugins for Piwik, and activated the one for PHP Security. Here are the results that from that activation where it tells you whats safe, somewhat safe, and critical. I will assume the color codes are green, yellow and red. I’ve posted all the yellow.

Please note that I did post this question over at my servers forum, but no answer in several days. I’ve assumed that my question would be more easily understood here at the Piwik forum.

Test: Suhosin patch -
You are not running PHP with the Suhosin patch applied. We recommend both the patch and extension for low- and high-level protections against (for example) buffer overflows and format string vulnerabilities.

Test: Suhosin extension -
You are not running PHP with the Suhosin extension loaded. We recommend both the patch and extension for low- and high-level protections including transparent cookie encryption and remote inclusion vulnerabilities.

Application: PHP -
You are running PHP 5.2.17. The latest version of PHP is 5.3.6.
NOTE:I was alerted that the host does patch often and I am not sure if this truly is something I should request (if possible)

Session: save_path -
save_path is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access session files. You should set save_path to a non-world-readable directory.

Core: display_error -
display_errors is enabled. This is not recommended on “production” servers, as it could reveal sensitive information. You should consider disabling this feature.

Core: file_uploads -
file_uploads are enabled. If you do not require file upload capability, consider disabling them.

Core: upload_tmp_dir -
upload_tmp_dir is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access temporary copies of files uploaded via your PHP scripts. You should set upload_tmp_dir to a non-world-readable directory.

Core: open_basedir -
open_basedir is disabled. When this is enabled, only files that are in the given directory/directories and their sub-directories can be read by PHP scripts. You should consider turning this on. Keep in mind that other web applications not written in PHP will not be restricted by this setting.

Can someone please offer up their own experiences with such, and maybe some ideas on how I would go about completing the suggested solutions? I do not expect anyone to answer each issue, but if you can answer one that would be a great help. I am not fluent in PHP, but I can follow directions, and once I understand the basic steps for completing the solution I feel confident I can complete this.

Thank you in advance


(Matthieu Aubry) #2

Search on the internet for each setting if you need more help, there is already a lot of documentation out there.


(vipsoft) #3

The Suhosin patch catches things missed by the php devs.

The Suhosin extension adds some safeguards, but you have to be fairly knowledgeable about how the webapps work so you know where its config limits aren’t necessarily reasonable.

5.2.17 is the last of the 5.2.x series. Good enough but it’s reached end of life for maintenance. I’m testing the 5.4 alpha this weekend.

session.save_path - not as big a concern in Piwik 1.5 since we switched to a database for sessions; still something to be aware of if you have other apps

display_error - should be off for public facing sites; if there’s an error, you don’t want to be leaking any info about your environment

upload - if you want to be able to upload a custom logo, configure accordingly

open_basedir - it’s good for you


#4

Hi Anthon,

I truly appreciate your reply. It was very helpful-- as the first reply made me feel the forum wasn’t going to be much help.

What ultimately brought me here is that I did search the net before even coming here, but the results at the PHP website were not very clear on what file(s) I was to edit so that is what brought me here.

Your reply was awesome and you took the time to answer several of the questions I had. Awesome job you have done here!


(vipsoft) #5

Of course, in shared hosting, you have to work with your provider. It could be as simple as a custom php.ini in your account’s home directory.


#6

Anthon,

Thank you! See, that makes perfect sense now. I am on shared hosting right now so I do not have access to the PHP files. That is why my search results only confused me. THANK you again!


#7

I use special php.ini files only for the piwik installations and am able to set them specificly for each piwik (for the piwik installation of each site I have a different php.ini) …but it seams not good enough.

Testing this on several sites as well as on different environments, such as my home server, the results are the same (at the end of the post I will list my servers’ specs).
So the following come up as yellow although I have set them right in php.ini:

display_errors:
it says: display_errors is enabled. This is not recommended on “production” servers, as it could reveal sensitive information. You should consider disabling this feature

It is not enabled, it is set as: display_errors = off …since I remember myself on that server, it is not a matter of apache not have been restarted, also change of php.ini gets live very fast (if not instantly, at least on my host). same behaviour on my local server, which I have access to the default php.ini of apache for the whole server. Aditionaly, if I remove “phpinfo” from “disable_functions” and check the php informaton I clearly see the directive display_errors having the value off. Also Joomla System Information does show it off, if I point Joomla to use the same php.ini. Any explanation on this ?

save_path:
it says: save_path is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access session files. You should set save_path to a non-world-readable directory

You are talking about the session.save_path right ? If yes, it is set outside the web root, and the permissions of it’s directory, as well as it’s upper level directories, are set to 700 (owner only). I also use open_basedir and have set the session.save_path there too. WordPress and Joomla react properly to such changes, except Piwik. Any explanation on this one please ? What I noticed was that the “upload_tmp_dir” was yellow although out of the web root. It only turned to green when I set it’s permissions to 700. But didn’t have the same luck with “save_path”.

Now “Suhosin extension” and “Suhosin patch” are also yellow, but I know they are not enabled. Are there any security risks letting them as they are ? Because I read alot about how insecure those are to have enabled on server. Some info on this please will be greatly appreciated.

The “PHP” version is also yellow. It says: You are running PHP 5.3.10. The latest version of PHP is 5.4.0. Can you please pass me a link to see what are the advantages of running 5.4 with Piwik ?

Thanks

server 1:
Apache on Linux 2.6.38.7 #46 i686
DB Version: 5.1.56
PHP Version: 5.3.10
WebServer to PHP Interface: cgi-fcgi

server 2:
Apache on Linux 2.6.32-40-generic #87-Ubuntu i686
DB Version: 5.1.61-0ubuntu0.10.04.1
PHP Version: 5.3.2-1ubuntu4.14
WebServer to PHP Interface: cgi-fcgi

All Piwik installations are ftp uploaded in binary mode.


(vipsoft) #8

display_errors: fixed in the next piwik release

save_path: I’ll investigate and see if there’s a fix upstream or explanation. (PhpSecInfo is a third-party library)

Suhosin: the patch adds low-level security protections that catch latent bugs in php. More info at suhosin.org.

PHP versions: generally, newer versions are more stable, secure, and performant

The important thing to remember is that the SecurityInfo plugin is advisory. It doesn’t know everything about your environment.