@software-opal opened this Issue on August 2nd 2017

Recently I have been looking into the security implications of automatically upgrading Piwik and whilst the Piwik Core is verified using a GPG key, the plugins get no such verification. As a result, an malicious party gaining access to the plugin server could replace latest plugin versions with malicious version with no verification.

The inclusions of libsodium in PHP 7.2 makes this easier. And there are pure-PHP libraries that are supported back to PHP 5. A similar issue was raised for WordPress, however it was postponed due to other priorities.

My understanding is that Piwik already implements auto-updates for it's plugins and as such any attack on the Piwik plugin infrastructure could potentially expose a large number of systems to malicious code.

There is a respectable guide(also linked in that WordPress issue) here on implementing upgrades for PHP.

@mattab commented on August 2nd 2017 Member

Thanks for the suggestion. Yes, it would be great to implement the code signing verification mechanism when downloading plugins from the Marketplace. And we also should implement this code signing mechanism when downloading the Piwik core platform via the auto-update mechanism.

Note: currently, the code signing is not checked, we only download the upgrade over HTTPS. Code signing procedure has to be done manually by the users who know about it. We would like to implement this as part of https://github.com/piwik/piwik/issues/7328
We also should surface the manual code signing instructions better, see https://github.com/piwik/piwik/issues/10687

Powered by GitHub Issue Mirror