@Baheraimarjun opened this Issue on May 26th 2020

This issue corresponds to https://hackerone.com/reports/881345 by me.

Description
Matomo application while installation asks to create database setup which is handled by file at line https://github.com/matomo-org/matomo/blob/4afbe93a40334d31f2e0a71867277d183938f7a5/plugins/Installation/FormDatabaseSetup.php#L122 , which takes host as input from user. Host parameter has no input validation so instead of supplying a URI, attacker inserted a socket IP:Port. If the port is open, it will create a session.

Steps to Reproduce

  1. Download the matomo application from github and start the instalation.
  2. At Database setup page, insert IP:$port eg - 127.0.0.1:8080

For open ports, a connection will be established and for closed it will say connection refused. Please check the screenshot.

It is suggested to validate user input or create a separate field for port if it is meant to be a functionality.

Impact

If a person is authorized to install and maintain Matomo remotely and does not have access of the server on which Matomo is being installed, then an attacker can successfully do an internal port scan of the network and interact with other services running on other ports.

@Findus23 commented on May 26th 2020 Member

In what way is this different to Wordpress, Nextcloud, Mediawiki, Moodle, etc. that all allow you to specify the MySQL host during the setup?

Can you also expand on how you would want to validate the user input? Any port and hostname could be a valid one (as one can install MySQL on any port), so any input by the user is valid.

@Baheraimarjun commented on May 26th 2020

Hi @Findus23
I am not aware of any other products mentioned, never worked on them, can't say about them.

Validation:
The page that allows user to set up database has a field Host which ideally should take host not a socket as I provided, to do so a regex pattern can be used for this field or Input character policies should be used and additionally a field Port can also be added, similar technique was used in CVE-2017-7272.
To perform a successful attack, I sent multiple requests to check the the open and closed ports --> adding rate limiting is also a good idea.

@Baheraimarjun commented on June 5th 2020

In what way is this different to Wordpress, Nextcloud, Mediawiki, Moodle, etc. that all allow you to specify the MySQL host during the setup?

Can you also expand on how you would want to validate the user input? Any port and hostname could be a valid one (as one can install MySQL on any port), so any input by the user is valid.

Please look into it

Powered by GitHub Issue Mirror