Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistent use of cryptography - always try SSL first to connect to Piwik.org and other services #11016

Open
SimonWaters opened this issue Dec 15, 2016 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Website matomo.org For issues related to our matomo.org website.

Comments

@SimonWaters
Copy link

During security testing 3.0.0-rc3 I noted the following inconsistencies in the use of TLS that means someone with access to network traffic from client to servers (Piwik server or *.piwik.org) or from server to Internet could manipulate the content of pages within Piwik or executable modules, or exec within Piwik even if the end server uses TLS to protect all its page views.

  1. Download link for 3.0.0-rc2 on Piwik blog https://piwik.org/blog/2016/12/piwik-3-release-candidate/ uses HTTP not HTTPS when linking to builds.piwik.org

Mitigate this by migrating the servers to HTTPS and use HSTS to keep users using HTTPS even if they encounter an HTTPS link, including builds.piwik.org.

Although all builds are PGP signed, you wouldn't known this unless you specifically go looking for that information, when you are directed to http://piwik.org/blog/2014/11/verify-signatures-piwik-packages/ this could also mitigate or defeat people attempting to impersonate the builds.piwik.org server.

  1. Help information within in the app links to the Piwik site using HTTP when HTTPS is available.

Mitigation - use HTTPS for these links.

Use of HSTS might reduce the window for attack without needing to change all links.

Some of this information also goes via the Proxy, but still opens pages over HTTP.

  1. Feed burner information is loaded from

http://feeds.feedburner.com/Piwik

by the server to populate the Piwik Blog box by default.

plugins/RssWidget/Widgets/RssChangelog.php: $rss = new RssRenderer('http://feeds.feedburner.com/PiwikReleases');
plugins/RssWidget/Widgets/RssPiwik.php: $rss = new RssRenderer('http://feeds.feedburner.com/Piwik');

The HTTPS version of feedburner URLs are available, although there is some mixed content due to innocraft images loading over HTTP, these images aren't rendered in the RSS summary.

There doesn't appear to be any attempt to sanitise content in the RssRenderer, if the content could be relied on to be from a trusted source the current sanitisation may be sufficient, I didn't try manipulating or replacing feedburner responses, it can at least be exploited to lead users to the wrong website.

Testing of server HTTP use was incomplete, as we didn't start recording server HTTP activity before the installation was started. We noted other server initiated traffic over HTTP, but weren't able to confirm that Piwik was the source.

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Dec 15, 2016
@mattab mattab added this to the 3.0.0 milestone Dec 15, 2016
@mattab mattab added the c: Website matomo.org For issues related to our matomo.org website. label Dec 15, 2016
@SimonWaters
Copy link
Author

Noted in testing 3.0.4 that the request below still travels over HTTP, it also leaks pretty much everything (MYSQL version, PHP version, client IP address, timezone, server URL), and could be manipulated by attacker between server and Piwik server to prevent upgrades being applied, as well as identifying vulnerable servers.

I appreciate server to server HTTPS can be frustrating as many servers have such poor TLS settings out of the box (which is why WordPress does it itself, which isn't ideal either).

GET /1.0/getLatestVersion/?piwik_version=3.0.4&php_version=7.0.16&mysql_version=5.5.54&release_channel=latest_stable&url=http%3A%2F%2F10.66.2.85%2Findex.php&trigger=CoreHome&timezone=Europe%2FLondon HTTP/1.1
Host: api.piwik.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: /
X-Forwarded-For: 10.67.255.98
Via: 3.0.4 (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0)

@mattab mattab changed the title Inconsistent use of cryptography Inconsistent use of cryptography - always try SSL first to connect to Piwik.org and other services Jun 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Website matomo.org For issues related to our matomo.org website.
Projects
None yet
Development

No branches or pull requests

2 participants