Internal IP Exposure #12278
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Comments
|
Haven't had a closer look, but afaik it should output |
sgiehl
added
the
c: Security
|
Report today: Matomo discloses the server's internal IP address via the 'Location' header if you access /index.php/ with a non-default host header For example: Internal IP disclosure poses no real risk on its own, but it makes exploiting other vulnerabilities like SSRF quite a lot easier. I do not expect a bounty for this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is in the latest version of Piwik 3.2.0
If you head to the HTTPS address, using the direct IP, and get the warning message about an untrusted hostname, then view the source of that page, the listing for piwik.piwik_url is the INTERNAL IP and not the EXTERNAL that you used to get there. This should be fixed, it’s a low risk, but the internal should never be exposed to the general public. The only work around we have right now is to disable this feature using enable_trusted_host_check=0 Viewing the source with it disabled, displays the correct external IP.
The text was updated successfully, but these errors were encountered: