Cached Post-Login Page Permits Re-sending User Credentials Vulnerability #14733
Labels
not-in-changelog
For issues or pull requests that should not be included in our release changelog on matomo.org.
We recently had a vulnerability assessment which highlighted the following vulnerability in Matomo :-
The Matamo login page does not perform a redirect after the user's credentials are sent to it. Valid login requests will have the server respond with a 200 OK rather than a 302 Redirect.
This means that this page can be refreshed in the browser and the credentials will be resent to the application. In a shared computer environment this can leave the user's credentials vulnerable to replay attacks or disclosure.
The response that is returned to the user after the login credentials have been sent should be an HTTP 302 redirect to the page that the application wishes to display. This will prevent the login credentials from being resubmitted if this page is refreshed because the redirected page will be
reloaded instead. The following HTTP headers would achieve this:
HTTP/1.1 302 Redirect
Location:
http://example.com/app/landing-page
Note that a redirect should be added to any page which receives sensitive information to prevent requests being cached.
The text was updated successfully, but these errors were encountered: