You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you head to the HTTPS address, using the direct IP, and get the warning message about an untrusted hostname, then view the source of that page, the listing for piwik.piwik_url is the INTERNAL IP and not the EXTERNAL that you used to get there. This should be fixed, it’s a low risk, but the internal should never be exposed to the general public. The only work around we have right now is to disable this feature using enable_trusted_host_check=0 Viewing the source with it disabled, displays the correct external IP.
The text was updated successfully, but these errors were encountered:
Internal IP disclosure poses no real risk on its own, but it makes exploiting other vulnerabilities like SSRF quite a lot easier. I do not expect a bounty for this.
This is in the latest version of Piwik 3.2.0
If you head to the HTTPS address, using the direct IP, and get the warning message about an untrusted hostname, then view the source of that page, the listing for piwik.piwik_url is the INTERNAL IP and not the EXTERNAL that you used to get there. This should be fixed, it’s a low risk, but the internal should never be exposed to the general public. The only work around we have right now is to disable this feature using enable_trusted_host_check=0 Viewing the source with it disabled, displays the correct external IP.
The text was updated successfully, but these errors were encountered: