This page contains the instructions and possible responses from using the Site Analyzer.
Instructions for site administrators
- Download the analyze.php script and place it in your site's cookbook/ directory.
- Add the following lines to local/config.php, changing $AnalyzeKey to a key to use for your site.
$AnalyzeKey = 'secret';
- Fill in the form at the top of the site analyzer page with the url used to access your site and the value of $AnalyzeKey that you set in local/config.php.
- Press the "Analyze Site" button.
- The PmWiki server will contact your site and report back with information on recommended configuration changes to your site and any vulnerabilities you may need to consider.
Checking the "Allow pmwiki.org to save a copy of analysis results" box will save a copy of the analyzer results in a private (web inaccessible) section of the pmwiki.org server. Having copies of results from many systems will help us to improve the analyzer and future configuration and security options for the PmWiki distribution.
Obtain site configuration ... no connection
The analyzer was unable to connect to the site. This may be because the url was entered incorrectly, the site is behind a firewall, or is otherwise inaccessible to the pmwiki.org server.
Obtain site configuration ... missing analyzer
The analyzer was able to reach the site, but the site did not respond to the
?action=analyze request. You may need to install the analyze.php script. This script should go in the cookbook/ directory, and then be enabled with
$AnalyzeKey = 'secret';
Obtain site configuration ... no key
The analyzer was able to contact the site, but the site does not appear to have an $AnalyzeKey set.
Obtain site configuration ... invalid key
The analyzer reached the
?action=analyze request, but the key entered did not match the $AnalyzeKey on the remote site.
Obtain site configuration ... update
A newer version of the analyze.php script is available -- you may wish to download it and re-run the analysis.
$FarmD register_globals vulnerability ... ok
Your site does not appear to have the
$FarmD register globals vulnerability.
$FarmD register_globals vulnerability ... vulnerable
Your site appears to be vulnerable to the
$FarmD register globals vulnerability. This vulnerability is being actively exploited in the wild, so you should do one of the following at the earliest opportunity:
- Upgrade to a version of PmWiki at least 2.1.22 or greater.
- Turn off register_globals in the php.ini or .htaccess file.
Recipe versions ... ok
All of the cookbook recipes active at this url appear to be up-to-date. Here's a list:
Recipe versions ... check
There appear to be some new versions of cookbook scripts* available. Here's a list:
* Note: Not all scripts reported here are necessarily installed. This list includes all PHP scripts in the cookbook directory, regardless of whether they are included via config.php or not. (PmWiki reports on all scripts in the cookbook directory because they may be conditionally included in certain configurations.)
AuthUser vulnerability ... ok
Your site does not appear to have the AuthUser vulnerability.
AuthUser vulnerability ... upgrade
Your site does not have the AuthUser vulnerability at the moment. You are, however, strongly encouraged to upgrade to PmWiki version 2.2.2 or later, as some future configuration of your hosting server might put you at risk.
AuthUser vulnerability ... probably vulnerable
Your site may be vulnerable to AuthUser vulnerability, if it relies on the core module AuthUser for User:Password authentication. This vulnerability may be actively exploited in the wild, so you should do one of the following at the earliest opportunity:
- Upgrade to a version of PmWiki at least 2.2.2 or greater.
- Turn on magic_quotes_gpc in the php.ini or .htaccess file.
?action=diag ... enabled
Your site is running with
$EnableDiag set to 1, and others are able to perform
?action=diag on your pages to get diagnostic information about your site. While this isn't necessarily a bad thing (pmwiki.org does it), it can show a lot of configuration information that you might not want to be publicly available.
You may want to change local/config.php to have
$EnableDiag=0 (PmWiki's default). A useful alternative to setting
$EnableDiag in local/config.php is to set it in a per page customization, so that ?action=diag is enabled only on a single page instead of the entire site.
To provide additional security use
if (CondAuth($pagename, 'edit')) $EnableDiag = 1;
$ScriptUrl setting ... relative
Your site has the
$ScriptUrl variable set to a relative url -- i.e., without a leading http:// or https:// prefix. While this may appear to work in many situations, some web standards (e.g., web feeds and HTTP redirects) require the use of a fully-qualified (absolute) url. You may want to update your setting of
$ScriptUrl to use an absolute url instead of a relative one.
If you want PmWiki to use relative urls for its internal page links, try the