Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Full Path Disclosure #14464

Closed
GIJohnathan opened this issue May 20, 2019 · 8 comments
Closed

Full Path Disclosure #14464

GIJohnathan opened this issue May 20, 2019 · 8 comments
Labels
duplicate For issues that already existed in our issue tracker and were reported previously.

Comments

@GIJohnathan
Copy link

GIJohnathan commented May 20, 2019
edited

A full path disclosure vulnerability was discovered in Matomo (v3.9.1) where a user can trigger a particular error to discover the full path of Matomo on the disk.

PAYLOAD
http://example.com/index.php?date=2019-04-20%2C2019-05-19&forceView=1&viewDataTable=test&module=API&action=get&widget=1&disableLink=0&idSite=1&period=day&columns=nb_outlinks%2Cnb_uniq_outlinks&colors={%22backgroundColor%22%3A%22%23ffffff%22%2C%22lineColor%22%3A%22%23162c4a%22%2C%22minPointColor%22%3A%22%23ff7f7f%22%2C%22maxPointColor%22%3A%22%2375bf7c%22%2C%22lastPointColor%22%3A%22%2355aaff%22%2C%22fillColor%22%3A%22%23ffffff%22

RESULT:

Neither the property "getRows" nor one of the methods "getRows()", "getgetRows()"/"isgetRows()" or "__call()" exist and have public access in class "Piwik\DataTable\Map".
in /var/www/html/mato/piwik/plugins/CoreVisualizations/templates/_dataTableViz_htmlTable.twig line 21

Discovered by Gionathan Armando Reale

CVE-2019-12215
@Findus23
Copy link
Member

Hi,

On my Matomo instance this only shows the generic A fatal error occurred warning. Do you by chance have set up your PHP to show more details than it should in production?

@fdellwing
Copy link
Contributor

I can confirm this problem, but it only works if the user has at least view access to the site.

No custom PHP settings are in place.

@GIJohnathan
Copy link
Author

No custom settings here and yeah it requires authentication I did state that :)

@fdellwing
Copy link
Contributor

fdellwing commented May 20, 2019
edited

This is the code that displays this additional error information:

matomo/plugins/CorePluginsAdmin/templates/safemode.twig

Lines 35 to 63 in 17ca84d

{% if isAllowedToTroubleshootAsSuperUser or not isAnonymousUser %}
<p>
The following error just broke Matomo{% if showVersion %} (v{{ piwikVersion }}){% endif %}:
</p>
<pre>{{ lastError.message }}
{% if lastError.backtrace is defined %}{{ lastError.backtrace }}{% else %}in {{ lastError.file }} line {{ lastError.line }}{% endif %}
</pre>
<hr>
<h3>Troubleshooting</h3>
Follow these steps to solve the issue or report it to the team:
<ul>
<li>
If you have just updated Matomo to the latest version, please try to restart your web server.
This will clear the PHP opcache which may solve the problem.
</li>
<li>
If this is the first time you see this error, please try refresh the page.
</li>
<li>
<strong>If this error continues to happen</strong>, we appreciate if you send the
<a href="mailto:hello@matomo.org?subject={{ 'Fatal error in Matomo ' ~ piwikVersion|e('url') }}&body={{ lastError.message|e('url') }}%20in%20{{ lastError.file|e('url') }}%20{{ lastError.line|e('url') }}%20using%20PHP%20{{ constant('PHP_VERSION') }}">error report</a>
to the Matomo team.
</li>
</ul>
<hr/>
{% endif %}

So @Findus23 I would guess, you tried as anonymous user?

The easy fix would be probably to remove the basepath from lastError.file?

@Findus23
Copy link
Member

Not sure what I did wrong before, but now I can get the same safemode page. But I doubt that showing the full backtrace to superusers isn't that much of a security issue and helps greatly with debugging.

I'm not sure what is causing the exception itself as I can also reproduce it with https://dev.matomo/index.php?date=2019-04-20%2C2019-05-19&module=API&action=get&idSite=1&period=day
so I guess there is a parameter missing from the request.

@fdellwing
Copy link
Contributor

The problem is, that this page gets displayed for all users because the if has an or? If this information would only been shown after adding i_am_super_user the debug can still happen?

@GIJohnathan
Copy link
Author

Hi, @fdellwing has a great point, @Findus23 can you confirm this is a vulnerability please?

@sgiehl
Copy link
Member

sgiehl commented May 20, 2019

The issue why that message appears at all was fixed in #14023
In general please avoid reporting path disclosures, as we don't consider them as security vulnerabilities. See https://matomo.org/security/

If you have any other urls that are throwing any kind of unexpected error, feel free to create issues for those errors (not any containing path disclosures).

@sgiehl sgiehl closed this as completed May 20, 2019
@sgiehl sgiehl added the duplicate For issues that already existed in our issue tracker and were reported previously. label May 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate For issues that already existed in our issue tracker and were reported previously.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sgiehl @Findus23 @fdellwing @GIJohnathan