A full path disclosure vulnerability was discovered in Matomo (v3.9.1) where a user can trigger a particular error to discover the full path of Matomo on the disk.
Neither the property "getRows" nor one of the methods "getRows()", "getgetRows()"/"isgetRows()" or "__call()" exist and have public access in class "Piwik\DataTable\Map".
in /var/www/html/mato/piwik/plugins/CoreVisualizations/templates/_dataTableViz_htmlTable.twig line 21
Discovered by Gionathan Armando Reale
On my Matomo instance this only shows the generic
A fatal error occurred warning. Do you by chance have set up your PHP to show more details than it should in production?
I can confirm this problem, but it only works if the user has at least view access to the site.
No custom PHP settings are in place.
No custom settings here and yeah it requires authentication I did state that :)
This is the code that displays this additional error information:
So @Findus23 I would guess, you tried as anonymous user?
The easy fix would be probably to remove the basepath from
Not sure what I did wrong before, but now I can get the same safemode page. But I doubt that showing the full backtrace to superusers isn't that much of a security issue and helps greatly with debugging.
I'm not sure what is causing the exception itself as I can also reproduce it with
so I guess there is a parameter missing from the request.
The problem is, that this page gets displayed for all users because the
if has an
or? If this information would only been shown after adding
i_am_super_user the debug can still happen?
The issue why that message appears at all was fixed in https://github.com/matomo-org/matomo/pull/14023
In general please avoid reporting path disclosures, as we don't consider them as security vulnerabilities. See https://matomo.org/security/
If you have any other urls that are throwing any kind of unexpected error, feel free to create issues for those errors (not any containing path disclosures).