New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Displaying widgets in iframes logs bruteforce attacks #16867
Comments
Hi @olinox14 which version of Matomo are you using? I just tried tried to reproduce this with Matomo 4 and it works there for me and doesn't log any brute force records. I think I remember there was some similar issue in some specific Matomo version but this might be fixed in a recent update. |
Hi @tsteur I'm implementing a stats page in a Typo3 CMS backend module. I tried to give the right to view the site to anonymous user, then by using an actual user and adding its token_auth to the iframes urls, same issue. |
I was able to reproduce that. The problem is that this widget tries to send API requests forcing a session usage, which fails widgetized. Will check if there is a easy solution |
@sgiehl as mentioned in the PR it should fix it for widgets but we still need to check if it affects also embedding regular controller actions as some users seem to do that |
I will check that now |
@tsteur that is still a problem, and generates brute force entries. I'm not sure what the best solution would be. Other possibility would be to change the widgetize check I've added and check if the token_auth is given in the url instead of checking for the Widgetize module. |
@sgiehl ideally we avoid this if any possible as it should be better to exactly check a value against a session vs token etc. I'd need to think a bit more but if really needed we could do it. What about: If the actual URL includes token but no force_session_api then we don't set the |
I use iframes to render some of the widgets in a website located on another server but on the same local network. Matomo's host and this website's are also subdomains of the same domain.
I added the iframes like suggested on the
index.php?module=Widgetize&action=index
page, with some little adjustments and using the token of a user who has the right to view the website:The widgets do appear as expected, however everytime the second iframe is rendered (
getEvolutionGraph
), a new entry is added to thematomo_brute_force_log
table.I also had this very same problem with the widget
moduleToWidgetize=VisitsSummary&actionToWidgetize=get
, but only when the parametersforceView=1&viewDataTable=VisitorLog
where added to the url; if those parameters are removed, the problem disappear. Of course, removing these parameters do not resolve the getEvolutionGraph case...Because of this problem, the user ip will be blocked for no reason if he visit the stats page more than the X times allowed by the brute force settings, making these widgets impossible to use in production.
The text was updated successfully, but these errors were encountered: