Inconsistent use of cryptography - always try SSL first to connect to Piwik.org and other services #11016
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
c: Website matomo.org
For issues related to our matomo.org website.
Milestone
During security testing 3.0.0-rc3 I noted the following inconsistencies in the use of TLS that means someone with access to network traffic from client to servers (Piwik server or *.piwik.org) or from server to Internet could manipulate the content of pages within Piwik or executable modules, or exec within Piwik even if the end server uses TLS to protect all its page views.
Mitigate this by migrating the servers to HTTPS and use HSTS to keep users using HTTPS even if they encounter an HTTPS link, including builds.piwik.org.
Although all builds are PGP signed, you wouldn't known this unless you specifically go looking for that information, when you are directed to http://piwik.org/blog/2014/11/verify-signatures-piwik-packages/ this could also mitigate or defeat people attempting to impersonate the builds.piwik.org server.
Mitigation - use HTTPS for these links.
Use of HSTS might reduce the window for attack without needing to change all links.
Some of this information also goes via the Proxy, but still opens pages over HTTP.
http://feeds.feedburner.com/Piwik
by the server to populate the Piwik Blog box by default.
plugins/RssWidget/Widgets/RssChangelog.php: $rss = new RssRenderer('http://feeds.feedburner.com/PiwikReleases');
plugins/RssWidget/Widgets/RssPiwik.php: $rss = new RssRenderer('http://feeds.feedburner.com/Piwik');
The HTTPS version of feedburner URLs are available, although there is some mixed content due to innocraft images loading over HTTP, these images aren't rendered in the RSS summary.
There doesn't appear to be any attempt to sanitise content in the RssRenderer, if the content could be relied on to be from a trusted source the current sanitisation may be sufficient, I didn't try manipulating or replacing feedburner responses, it can at least be exploited to lead users to the wrong website.
Testing of server HTTP use was incomplete, as we didn't start recording server HTTP activity before the installation was started. We noted other server initiated traffic over HTTP, but weren't able to confirm that Piwik was the source.
The text was updated successfully, but these errors were encountered: