@brenak opened this Issue on November 15th 2017

This is in the latest version of Piwik 3.2.0

If you head to the HTTPS address, using the direct IP, and get the warning message about an untrusted hostname, then view the source of that page, the listing for piwik.piwik_url is the INTERNAL IP and not the EXTERNAL that you used to get there. This should be fixed, it’s a low risk, but the internal should never be exposed to the general public. The only work around we have right now is to disable this feature using enable_trusted_host_check=0 Viewing the source with it disabled, displays the correct external IP.

@sgiehl commented on November 15th 2017 Member

Haven't had a closer look, but afaik it should output $_SERVER['HTTP_HOST']

@mattab commented on May 9th 2019 Member

Report today:

Matomo discloses the server's internal IP address via the 'Location' header if you access /index.php/ with a non-default host header

For example:
curl -v -H 'Host: demo.matomo.org:123' https://demo.matomo.org/index.php/
...
< HTTP/1.1 302 Found
< Location: https://127.0.235.163/index.php

Internal IP disclosure poses no real risk on its own, but it makes exploiting other vulnerabilities like SSRF quite a lot easier. I do not expect a bounty for this.

Powered by GitHub Issue Mirror