@GerardBol opened this Issue on July 5th 2017

I use rsfirewall in my joomla site

this rsfirewall detects mkdir($dir,"777") in the source of piwik. Why 777 and set all access open?

@Findus23 commented on July 5th 2017 Member

Do you know which file rsfirewall is complaining about? Most reference to 777 I found are in the tests, which shouldn't influence piwik users (as the tests/ directory isn't included in the piwik zip)

@Findus23 commented on July 5th 2017 Member
@GerardBol commented on July 5th 2017

pw/Piwik/core/Updater/Migration/Db/Factory.php
The file has been modified woensdag 31 mei 2017

Possible PHP Injection - function name contains only numbers.

_1(10)View file contents

pw/Piwik/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($path, 0777View file contents

pw/Piwik/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php
The file has been modified dinsdag 15 november 2016

Unsafe directory creation - 0777 permissions.

mkdir($cacheDir, 0777View file contents

pw/Piwik/vendor/pear/archive_tar/Archive/Tar.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($v_header['filename'], 0777View file contents

pw/Piwik/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($dir, 0777View file contents

pw/Piwik/vendor/twig/twig/lib/Twig/Cache/Filesystem.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($dir, 0777View file contents

pw/Piwik/vendor/twig/twig/.php_cs.dist
The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

.php_cs.distView file contents

pw/Piwik/vendor/piwik/decompress/libs/PclZip/pclzip.lib.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($p_dir, 0777View file contents

pw/Piwik/vendor/szymach/c-pchart/.scrutinizer.yml
The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

.scrutinizer.ymlView file contents

pw/Piwik/plugins/LanguagesManager/Commands/CreatePull.php
The file has been modified woensdag 31 mei 2017

Possible PHP injection (file download)

shell_exec('curlView file contents

pw/Piwik/libs/bower_components/materialize/.npmignore
The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

Van: Lukas Winkler [mailto:notifications@github.com]
Verzonden: woensdag 5 juli 2017 10:47
Aan: piwik/piwik <piwik@noreply.github.com>
CC: GerardBol <gerardbolhuis@gmail.com>; Author <author@noreply.github.com>
Onderwerp: Re: [piwik/piwik] mkdir ($dir,"777") (#11843)

I found two places where piwik does a chmod 777. All other chmod are using 755 or 600
https://github.com/piwik/piwik/blob/3.x-dev/core/Profiler.php#L324
https://github.com/piwik/piwik/blob/3.x-dev/core/Db/BatchInsert.php#L268


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/piwik/piwik/issues/11843#issuecomment-313041571 , or mute the thread https://github.com/notifications/unsubscribe-auth/AXHyASh-2N0AypofzZaZLBOWgWyFR0JQks5sK01ygaJpZM4ON_zO . https://github.com/notifications/beacon/AXHyAaTaYlJ5XAOArcALRfRsYteL-pAQks5sK01ygaJpZM4ON_zO.gif

@Findus23 commented on July 5th 2017 Member

Piwik/core/Updater/Migration/Db/Factory.php
Possible PHP Injection - function name contains only numbers.
_1(10)View file contents

I am not sure what your tester means, but I coudn't find a function which name only contains numbers in https://github.com/piwik/piwik/blob/3.x-dev/core/Updater/Migration/Db/Factory.php

pw/Piwik/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php
pw/Piwik/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php
pw/Piwik/vendor/pear/archive_tar/Archive/Tar.php
pw/Piwik/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php
pw/Piwik/vendor/twig/twig/lib/Twig/Cache/Filesystem.php
pw/Piwik/vendor/twig/twig/.php_cs.dist
pw/Piwik/vendor/piwik/decompress/libs/PclZip/pclzip.lib.php
pw/Piwik/vendor/szymach/c-pchart/.scrutinizer.yml
pw/Piwik/libs/bower_components/materialize/.npmignore

Those are third-party libraries which may or may not have good reasons for doing that. You'll need to contact them if you want to know why they are using 777.

pw/Piwik/plugins/LanguagesManager/Commands/CreatePull.php

This plugin uses shell_exec to create pull requests updating the language files (https://github.com/piwik/piwik/pull/11820)
I doubt a piwik user will use this function.

@mattab commented on May 19th 2020 Member

Thanks for contributing to this issue. As it has been a few months since the last activity and we believe this is likely not an issue anymore, we will now close this. If that's not the case, please do feel free to either reopen this issue or open a new one. We will gladly take a look again!

This Issue was closed on May 19th 2020
Powered by GitHub Issue Mirror