Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filesystem access equals root access #571

Closed
anonymous-matomo-user opened this issue Feb 26, 2009 · 3 comments
Closed

Filesystem access equals root access #571

anonymous-matomo-user opened this issue Feb 26, 2009 · 3 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone

Comments

@anonymous-matomo-user
Copy link

In addition to being able to login as root password=1234
I can also login using user root password=81dc9bdb52d04dc20036dbd8313ed055

This can have serious consequences if anyone can find a way to print out config/config.ini.php

There may be other situations where an attacker knows the MD5 hash (or other hash should you change digests) but not the password.

@robocoder
Copy link
Contributor

What are you proposing be changed?

(I assume by “root”, you meant the Piwik superuser.)

@anonymous-matomo-user
Copy link
Author

> (I assume by “root”, you meant the Piwik superuser.)

Yes. My config.ini.php file looks like this:

```
[superuser]

login = root

password = 81dc9bdb52d04dc20036dbd8313ed055
```

With these settings, I can log in with username=root, password=1234 as well as username=root, password=81dc9bdb52d04dc20036dbd8313ed055

> What are you proposing be changed?

Don’t compare with the password as listed in the ini-file. Instead, only compare with its hash.

in plugins/Login/Controller.php, replace this:

```
if(strlen($password) != 32)
{
$password = md5($password);
}
```

with this:

```
$password = md5($password);
```

@mattab
Copy link
Member

mattab commented Mar 2, 2009

fixed in 943
- CHANGED previously, it was possible to login using the md5 hash of the password as the password, but for best practises and increased security we removed this feature.
- CHANGED previously, it was possible to login using the “one click logme” as described in the <a href=‘http://piwik.org/faq/how-to/#faq_30’>FAQ</a>; we added the rule that this method cannot be used to login as the Super User.
- CHANGED slight change in the API of UsersManager.getTokenAuth($userLogin, $md5Password); previously, the second parameter could be either the password or the md5 hash of the password. For increased security and consistency, the second parameter is now required to be the md5 of the password. Please call md5() on the string before calling this API method.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Development

No branches or pull requests

3 participants