@GIJohnathan opened this Issue on May 20th 2019

A full path disclosure vulnerability was discovered in Matomo (v3.9.1) where a user can trigger a particular error to discover the full path of Matomo on the disk.

PAYLOAD
http://example.com/index.php?date=2019-04-20%2C2019-05-19&forceView=1&viewDataTable=test&module=API&action=get&widget=1&disableLink=0&idSite=1&period=day&columns=nb_outlinks%2Cnb_uniq_outlinks&colors={%22backgroundColor%22%3A%22%23ffffff%22%2C%22lineColor%22%3A%22%23162c4a%22%2C%22minPointColor%22%3A%22%23ff7f7f%22%2C%22maxPointColor%22%3A%22%2375bf7c%22%2C%22lastPointColor%22%3A%22%2355aaff%22%2C%22fillColor%22%3A%22%23ffffff%22

RESULT:

Neither the property "getRows" nor one of the methods "getRows()", "getgetRows()"/"isgetRows()" or "__call()" exist and have public access in class "Piwik\DataTable\Map".
in /var/www/html/mato/piwik/plugins/CoreVisualizations/templates/_dataTableViz_htmlTable.twig line 21

Discovered by Gionathan Armando Reale

CVE-2019-12215

@Findus23 commented on May 20th 2019 Member

Hi,

On my Matomo instance this only shows the generic A fatal error occurred warning. Do you by chance have set up your PHP to show more details than it should in production?

@fdellwing commented on May 20th 2019 Contributor

I can confirm this problem, but it only works if the user has at least view access to the site.

No custom PHP settings are in place.

@GIJohnathan commented on May 20th 2019

No custom settings here and yeah it requires authentication I did state that :)

@fdellwing commented on May 20th 2019 Contributor

This is the code that displays this additional error information:
https://github.com/matomo-org/matomo/blob/17ca84d486ee44662e42d10f8c3d18d7ab6d3bbc/plugins/CorePluginsAdmin/templates/safemode.twig#L35-L63

So @Findus23 I would guess, you tried as anonymous user?

The easy fix would be probably to remove the basepath from lastError.file?

@Findus23 commented on May 20th 2019 Member

Not sure what I did wrong before, but now I can get the same safemode page. But I doubt that showing the full backtrace to superusers isn't that much of a security issue and helps greatly with debugging.

I'm not sure what is causing the exception itself as I can also reproduce it with https://dev.matomo/index.php?date=2019-04-20%2C2019-05-19&module=API&action=get&idSite=1&period=day
so I guess there is a parameter missing from the request.

@fdellwing commented on May 20th 2019 Contributor

The problem is, that this page gets displayed for all users because the if has an or? If this information would only been shown after adding i_am_super_user the debug can still happen?

@GIJohnathan commented on May 20th 2019

Hi, @fdellwing has a great point, @Findus23 can you confirm this is a vulnerability please?

@sgiehl commented on May 20th 2019 Member

The issue why that message appears at all was fixed in https://github.com/matomo-org/matomo/pull/14023
In general please avoid reporting path disclosures, as we don't consider them as security vulnerabilities. See https://matomo.org/security/

If you have any other urls that are throwing any kind of unexpected error, feel free to create issues for those errors (not any containing path disclosures).

This Issue was closed on May 20th 2019
Powered by GitHub Issue Mirror