@MichaIng opened this Issue on May 14th 2021

Expected Behavior

With .htaccess installed and respected which blocks any access to matomo/config, which can be verified by manually trying to access the directory or any contained file and running a curl locally and remotely, the Matomo system check should not throw a related "critical issues".

Current Behavior

https://domain.com/matomo/config/config.ini.php

We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.

Possible Solution

TBD, I'll have a look into the code.

Steps to Reproduce (for Bugs)

  1. Upgrade to Matomo 4.3.0-rc2 (issue appeared with rc1, AFAIK)
  2. Check Diagnostics > System Check

Context

Your Environment

  • Matomo Version: 4.3.0-rc2
  • PHP Version: 8.0.5
  • Server Operating System: Debian Bullseye
  • Additionally installed plugins:

    Plugins Activated:

    API, Actions, Annotations, BotTracker 2.01, BulkTracking, Contents, CoreAdminHome, CoreConsole, CoreHome, CorePluginsAdmin, CoreUpdater, CoreVisualizations, CustomJsTracker, DBStats, DarkTheme 1.1.6, Dashboard, DevicePlugins, DevicesDetection, Diagnostics, Goals, Heartbeat, ImageGraph, Insights, Installation, Intl, LanguagesManager, Live, LogViewer 4.0.1, Login, Marketplace, Monolog, Morpheus, Overlay, PagePerformance, PrivacyManager, Proxy, Referrers, Resolution, SEO, SegmentEditor, SitesManager, Transitions, UserLanguage, UsersManager, VisitFrequency, VisitTime, VisitorInterest, VisitsSummary, WebsiteMeasurable

@Findus23 commented on May 14th 2021 Member

Hi,

(see #17490)

What exactly is the output of curl -v https://domain.com/matomo/config/config.ini.php.
Does it respond with a 403 or return just a ;?

@MichaIng commented on May 14th 2021

It's a HTTP/2 403 to be precise, in both bases, when running from the server itself as well as when running from a remote machine (where it's behind Cloudflare). But a 403 + 404 handler page is shown, no empty response body.

That will be the issue: $isAccessible = strpos($data, ';') !== false; is used to check access to the config file, hence not the response code. Since the 40x handler page can of course contain a ;, this will return a wrong result in very most cases. Is there a reason to not check the response code as well for the config file?

@MichaIng commented on May 16th 2021

Many thanks, the fix works here as well :+1:.

@mattab commented on May 17th 2021 Member

Thanks @MichaIng for finding this issue in the RC before the release and letting us know :100:

@MichaIng commented on May 17th 2021

My pleasure, thanks for developing a great self-hosted analytics platform 🙂,

This Issue was closed on May 16th 2021
Powered by GitHub Issue Mirror