I have installed Piwik in the hope that it will be a good alternative to using Google Analytics but in reading posts in regards to the issue in regards to this using ini_set concerns me being a server admin.
I had disabled ini_set in my php.ini file and also denied users the ability to overide the master php.ini by writing there own.
I have now re enabled ini_set to simply test this software out to see if its even worth using and it seems that it is a great application but I am also saddened at the stance that the staff of Piwik take towards server security.
Also that you do say that you listen to your members that are using the software but simply state its a “wontfix” issue as its not important as bug fixes and the like. Sure I do understand thatyou need to get the bugs fixed as they themselves could be also security flaws but also the code that you are using in general is a security flaw well the ini_set portion is.
At the end of the day if thats what you need to use to make your software work great but at least provide a work around for people that are either
a/ On shared Hosting Plans that are unable to change the php.ini
b/ Simply do not wish to compromise security but enjoy the great application that you have made.
I just believe there should be a work around either a line in a htaccess file or something that can be done. I for one will not compromise my clients accounts on my server.
To say that i have brought nothing to this fair call and I will be endeavouring to find a work around and if i find one i be too happy to post it but if anybody else at the present moment has had the same issue and has been able to find a work around to this without comprmising security I am all ears.
My bad i will keep my posts short so there more understandable.
ini_set = security issue why should we be forced to enable a security flaw just to run this application, Most shared Hosting providers have safe mode on and disable this function for exactly that reason…
2/ REASON - Because PHP scripts in a shared environment and I suppose even in a dedicated environment don’t need this function to work. It is an insecure function and the scripts could be written in a different way to accomplish the same thing.
Ok hate to treat people like there simply not listening so lets get to the images here to point out the issue
1st image is what i have when ini_set function is disabled in php.ini (Which most servers have disabled and shared hosts have safe mode that prevents the use of this function)
Now to spell it out loud and clear ini_set i am led to believe a security flaw that is why it has been disabled by a lot of hosting providers my question is yet again
IS THERE A WORKAROUND TO THIS ISSUE SO NOT TO LOWER SOMEBODYS SECURITY JUST TO MAKE IT WORK?
If this has not spelt it out any clearer then i give up i will simply remove it and go with google analytics or stick Awstats
Sorry ini_set should be enabled definitely. However I know that in some PHP configurations the function is enabled but does not do anything, which is fine…