Piwik: PHP Security

apps

#1

Thank you for taking the time to read my post. Your response is truly appreciated.

I recently installed Piwik via the Goodies. I went through the plugins for Piwik, and activated the one for PHP Security. Here are the results that from that activation where it tells you whats safe, somewhat safe, and critical. I will assume the color codes are green, yellow and red. I’ve posted all the yellow.

Test: Suhosin patch -
You are not running PHP with the Suhosin patch applied. We recommend both the patch and extension for low- and high-level protections against (for example) buffer overflows and format string vulnerabilities.

Test: Suhosin extension -
You are not running PHP with the Suhosin extension loaded. We recommend both the patch and extension for low- and high-level protections including transparent cookie encryption and remote inclusion vulnerabilities.

Application: PHP -
You are running PHP 5.2.17. The latest version of PHP is 5.3.6.
[color=#A9A9A9]NOTE:I was alerted that the host does patch often and I am not sure if this truly is something I should request (if possible)[/color]

Session: save_path -
save_path is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access session files. You should set save_path to a non-world-readable directory.

Core: display_error -
display_errors is enabled. This is not recommended on “production” servers, as it could reveal sensitive information. You should consider disabling this feature.

Core: file_uploads -
file_uploads are enabled. If you do not require file upload capability, consider disabling them.

Core: upload_tmp_dir -
upload_tmp_dir is disabled, or is set to a common world-writable directory. This typically allows other users on this server to access temporary copies of files uploaded via your PHP scripts. You should set upload_tmp_dir to a non-world-readable directory.

Core: open_basedir -
open_basedir is disabled. When this is enabled, only files that are in the given directory/directories and their sub-directories can be read by PHP scripts. You should consider turning this on. Keep in mind that other web applications not written in PHP will not be restricted by this setting.

Can someone please offer up their own experiences with such, and maybe some ideas on how I would go about completing the suggested solutions? I am not fluent in PHP, but I can follow directions, and once I understand the basic steps for completing the solution I feel confident I can complete this.

Thank you in advance