Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSRF at DB setup due to lack of input validation #15988

Open
sh0lt0 opened this issue May 26, 2020 · 3 comments
Open

SSRF at DB setup due to lack of input validation #15988

sh0lt0 opened this issue May 26, 2020 · 3 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@sh0lt0
Copy link

sh0lt0 commented May 26, 2020

This issue corresponds to https://hackerone.com/reports/881345 by me.

Description
Matomo application while installation asks to create database setup which is handled by file at line

$host = $this->getSubmitValue('host');
, which takes host as input from user. Host parameter has no input validation so instead of supplying a URI, attacker inserted a socket IP:Port. If the port is open, it will create a session.

Steps to Reproduce

  1. Download the matomo application from github and start the instalation.
  2. At Database setup page, insert IP:$port eg - 127.0.0.1:8080

For open ports, a connection will be established and for closed it will say connection refused. Please check the screenshot.

It is suggested to validate user input or create a separate field for port if it is meant to be a functionality.

Impact

If a person is authorized to install and maintain Matomo remotely and does not have access of the server on which Matomo is being installed, then an attacker can successfully do an internal port scan of the network and interact with other services running on other ports.

@Findus23
Copy link
Member

Findus23 commented May 26, 2020

In what way is this different to Wordpress, Nextcloud, Mediawiki, Moodle, etc. that all allow you to specify the MySQL host during the setup?

Can you also expand on how you would want to validate the user input? Any port and hostname could be a valid one (as one can install MySQL on any port), so any input by the user is valid.

@Findus23 Findus23 added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users. labels May 26, 2020
@sh0lt0
Copy link
Author

sh0lt0 commented May 26, 2020

Hi @Findus23
I am not aware of any other products mentioned, never worked on them, can't say about them.

Validation:
The page that allows user to set up database has a field Host which ideally should take host not a socket as I provided, to do so a regex pattern can be used for this field or Input character policies should be used and additionally a field Port can also be added, similar technique was used in CVE-2017-7272.
To perform a successful attack, I sent multiple requests to check the the open and closed ports --> adding rate limiting is also a good idea.

@sh0lt0
Copy link
Author

sh0lt0 commented Jun 5, 2020

In what way is this different to Wordpress, Nextcloud, Mediawiki, Moodle, etc. that all allow you to specify the MySQL host during the setup?

Can you also expand on how you would want to validate the user input? Any port and hostname could be a valid one (as one can install MySQL on any port), so any input by the user is valid.

Please look into it

@sgiehl sgiehl removed the Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users. label Oct 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

No branches or pull requests

4 participants