Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installation user guide: improve security guidelines #11517

Closed
mattab opened this issue Mar 22, 2017 · 1 comment
Closed

Installation user guide: improve security guidelines #11517

mattab opened this issue Mar 22, 2017 · 1 comment
Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Milestone
Backlog (Help wan...

Comments

@mattab
Copy link
Member

mattab commented Mar 22, 2017

Suggestions below reported by email

Let me prefix this by saying that I have never installed your product. In large part because of the issues below.
I am basing these security flaws on the current documentation on https://piwik.org/docs/installation/

  1. Configuration is world-writable.

    As per the image in:
    https://piwik.org/wp-content/uploads/2008/11/2b-check-tofix1.png

    The configuration is created world-writable during the installation procedure.
    Either this is done by the software (unverified), or by the user following the instruction shown.

  2. MySQL credentials are transmitted over unencrypted HTTP.

    There is no mention in the installation instructions of using encryption to safeguard credentials.
    There is no alternative method documented to configure the credentials (e.g. editing the configuration and uploading via scp).

  3. Superuser credentials are transmitted over unencrypted HTTP.

    There is no mention of safeguarding these credentials either.

  4. The phrase, "by default the super user will be signed up for upgrade and security alerts";

    There is no information about the privacy policy.
    There is also no mention of whether (or how, or which) user information will be submitted to Piwik when the option is not selected.

Thanks.
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Mar 22, 2017
@mattab mattab modified the milestones: 3.0.3, 3.0.4 Mar 22, 2017
@mattab mattab added the c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. label Dec 10, 2023
@mattab
Copy link
Member Author

mattab commented Dec 10, 2023

Thanks for contributing to this issue. As it has been a few months since the last activity and we believe this is likely not an issue anymore, we will now close this. If that's not the case, please do feel free to either reopen this issue or open a new one. We will gladly take a look again!

@mattab mattab closed this as not planned Won't fix, can't repro, duplicate, stale Dec 10, 2023
@sgiehl sgiehl added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Dec 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
2 participants
@mattab @sgiehl