New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access issues within core update function #11797
Comments
@mattab This ticket is very old, but just today I had a discussion with a very security-sensitive customer of mine about it. |
When performing the update on command line, I would recommend to set the |
@sgiehl : But nothing is tracked in maintenance mode or am I misunderstanding that? |
See this FAQ on how to update a large instance without loosing tracking data: https://matomo.org/faq/how-to-update/faq_20844/ |
In the linked FAQ, option 1 via web server log files or option 2 via Redis and Queuing is mentioned. Option 1 with web server log files is a rudimentary approach that is not a solution for fully professional tracking of large websites with events, content tracking, etc. I have to honestly say that both options are not a solution for customers who use Matomo tracking on websites that track an immediate monetary business. And it is precisely such websites and customers who are very security-sensitive and want to update Matomo without losing data. Could it be possible to show this page (see screenshots above) only to authenticated superusers? Edit: Another problem is that you cannot know or estimate beforehand how long the database update will take. You don't know which way to go (update via browser or update on console). |
When updating today, I realized that Piwik doesn't follow its own access rules when applying core updates. Anonymous internet users are able to begin the core update process once the initial step is triggered. Crucially, they are able to see not only the version in use but also the structure of the database and which SQL queries will be performed during the update.
For Piwik sites without a proxy server blocking off-site connections, this could be a critical vulnerability as it reveals a large amount of information about the database, extensions in use, and other software installed on the server. Through this, a malicious visitor would be much better prepared to attack the site.
OS: Ubuntu Trusty 14.04 x64
Version: upgraded from version 2.16.2 to the new version 3.0.4.
Bug posted here after conversation with security@ (enclosed as they provide a workaround):
The text was updated successfully, but these errors were encountered: