@maquisard opened this Issue on December 19th 2018

I have deployed Mamoto on our server and trying to use it with our research project. However, the security scan from our IT team reveal the following and I do not know how to fix it:
https://www.tenable.com/plugins/nessus/42424
For more details:
Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'module' parameter of the / CGI :

/?form_password_bis=&form_rememberme=1&action=resetPassword&form_login=&
form_nonce=920b32d3daaac6cbd0d13a7d7ba242ba&form_password=&module=Loginz
z&form_rememberme=1&action=resetPassword&form_login=&form_nonce=920b32d3
daaac6cbd0d13a7d7ba242ba&form_password=&module=Loginyy

-------- output --------

-------- vs --------
<!DOCTYPE html>
<html>
<head>
------------------------

+ The 'action' parameter of the / CGI :

/?form_password_bis=&module=Login&form_rememberme=1&form_login=&form_non
ce=920b32d3daaac6cbd0d13a7d7ba242ba&form_password=&action=resetPasswordz
z&module=Login&form_rememberme=1&form_login=&form_nonce=920b32d3daaac6cb
d0d13a7d7ba242ba&form_password=&action=resetPasswordyy

-------- output --------

-------- vs --------
<!DOCTYPE html>
<html>
<head>
------------------------

+ The 'module' parameter of the /index.php CGI :

/index.php?form_password=&form_rememberme=1&form_password_bis=&action=ge
tCss&cb=162e00e057819d2d2a4ea3eabdf3ae8a&form_login=&form_nonce=920b32d3
daaac6cbd0d13a7d7ba242ba&module=Proxyzz&form_rememberme=1&form_password_
bis=&action=getCss&cb=162e00e057819d2d2a4ea3eabdf3ae8a&form_login=&form_
nonce=920b32d3daaac6cbd0d13a7d7ba242ba&module=Proxyyy

-------- output --------
/* compile_me_once=dc278d4d511b826867ed0f08395edd6a */
/* Matomo CSS file is compiled with Less. You may be interested in [...]
/*!
-------- vs --------
<!DOCTYPE html>
<html>
<head>
------------------------

Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'form_login' parameter of the / CGI :

/ [form_password_bis=&module=Login&form_rememberme=1&action=resetPasswor
d&form_nonce=920b32d3daaac6cbd0d13a7d7ba242ba&form_password=&form_login=
zz&module=Login&form_rememberme=1&action=resetPassword&form_nonce=920b32
d3daaac6cbd0d13a7d7ba242ba&form_password=&form_login=yy]

-------- output --------
noclear="true"
context="error">
<strong>Error</strong>: Username or Email required
<br/>
<strong>Error</strong>: Password required
-------- vs --------
noclear="true"
context="error">
<strong>Error</strong>: Password required
<br/>
<strong>Error</strong>: Password (repeat) required
------------------------

+ The 'form_password' parameter of the / CGI :

/ [form_password_bis=&module=Login&form_rememberme=1&action=resetPasswor
d&form_login=&form_nonce=920b32d3daaac6cbd0d13a7d7ba242ba&form_password=
zz&module=Login&form_rememberme=1&action=resetPassword&form_login=&form_
nonce=920b32d3daaac6cbd0d13a7d7ba242ba&form_password=yy]

-------- output --------
<strong>Error</strong>: Username or Email required
<br/>
<strong>Error</strong>: Password required
<br/>
<strong>Error</strong>: Password (repeat) required
-------- vs --------
<strong>Error</strong>: Username or Email required
<br/>
<strong>Error</strong>: Password (repeat) required
<br/>
</div>
------------------------

/ [form_password_bis=&module=Login&form_rememberme=1&action=resetPasswor
d&form_login=&form_nonce=920b32d3daaac6cbd0d13a7d7ba242ba&form_password=
zz&module=Login&form_rememberme=1&action=resetPassword&form_login=&form_
nonce=920b32d3daaac6cbd0d13a7d7ba242ba&form_password=yy] {2}

-------- output --------
<strong>Error</strong>: Username or Email required
<br/>
<strong>Error</strong>: Password required
<br/>
<strong>Error</strong>: Password (repeat) required
-------- vs --------
<strong>Error</strong>: Username or Email required
<br/>
<strong>Error</strong>: Password (repeat) required
<br/>
</div>
------------------------
@tsteur commented on December 19th 2018 Member

This looks like false positives. If you do find any concrete issues feel free to get in touch through our email on https://matomo.org/security/

This Issue was closed on December 19th 2018
Powered by GitHub Issue Mirror