SSRF at DB setup due to lack of input validation #15988
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
This issue corresponds to https://hackerone.com/reports/881345 by me.
Description
Matomo application while installation asks to create database setup which is handled by file at line
matomo/plugins/Installation/FormDatabaseSetup.php
Line 122 in 4afbe93
Steps to Reproduce
For open ports, a connection will be established and for closed it will say connection refused. Please check the screenshot.
It is suggested to validate user input or create a separate field for port if it is meant to be a functionality.
Impact
If a person is authorized to install and maintain Matomo remotely and does not have access of the server on which Matomo is being installed, then an attacker can successfully do an internal port scan of the network and interact with other services running on other ports.
The text was updated successfully, but these errors were encountered: