Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[4.3.0-rc] System check falsely detects config/config.ini.php readable #17559

Closed
MichaIng opened this issue May 14, 2021 · 5 comments · Fixed by #17568
Closed

[4.3.0-rc] System check falsely detects config/config.ini.php readable #17559

MichaIng opened this issue May 14, 2021 · 5 comments · Fixed by #17568
Labels
Bug For errors / faults / flaws / inconsistencies etc. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Milestone
4.3.0

Comments

@MichaIng
Copy link
Contributor

Expected Behavior

With .htaccess installed and respected which blocks any access to matomo/config, which can be verified by manually trying to access the directory or any contained file and running a curl locally and remotely, the Matomo system check should not throw a related "critical issues".

Current Behavior

https://domain.com/matomo/config/config.ini.php

We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.

Possible Solution

TBD, I'll have a look into the code.

Steps to Reproduce (for Bugs)

  1. Upgrade to Matomo 4.3.0-rc2 (issue appeared with rc1, AFAIK)
  2. Check Diagnostics > System Check

Context

Your Environment

  • Matomo Version: 4.3.0-rc2
  • PHP Version: 8.0.5
  • Server Operating System: Debian Bullseye
  • Additionally installed plugins:

    Plugins Activated:

    API, Actions, Annotations, BotTracker 2.01, BulkTracking, Contents, CoreAdminHome, CoreConsole, CoreHome, CorePluginsAdmin, CoreUpdater, CoreVisualizations, CustomJsTracker, DBStats, DarkTheme 1.1.6, Dashboard, DevicePlugins, DevicesDetection, Diagnostics, Goals, Heartbeat, ImageGraph, Insights, Installation, Intl, LanguagesManager, Live, LogViewer 4.0.1, Login, Marketplace, Monolog, Morpheus, Overlay, PagePerformance, PrivacyManager, Proxy, Referrers, Resolution, SEO, SegmentEditor, SitesManager, Transitions, UserLanguage, UsersManager, VisitFrequency, VisitTime, VisitorInterest, VisitsSummary, WebsiteMeasurable
@MichaIng MichaIng added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label May 14, 2021
@Findus23
Copy link
Member

Findus23 commented May 14, 2021
edited

Hi,

(see #17490)

What exactly is the output of curl -v https://domain.com/matomo/config/config.ini.php.
Does it respond with a 403 or return just a ;?

@MichaIng
Copy link
Contributor Author

MichaIng commented May 14, 2021
edited

It's a HTTP/2 403 to be precise, in both bases, when running from the server itself as well as when running from a remote machine (where it's behind Cloudflare). But a 403 + 404 handler page is shown, no empty response body.

That will be the issue: $isAccessible = strpos($data, ';') !== false; is used to check access to the config file, hence not the response code. Since the 40x handler page can of course contain a ;, this will return a wrong result in very most cases. Is there a reason to not check the response code as well for the config file?

@Findus23 Findus23 added Bug For errors / faults / flaws / inconsistencies etc. and removed Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. labels May 14, 2021
@Findus23 Findus23 added this to the 4.3.0 milestone May 14, 2021
@tsteur tsteur added the Regression Indicates a feature used to work in a certain way but it no longer does even though it should. label May 16, 2021
@diosmosis diosmosis mentioned this issue May 16, 2021
Merged
10 tasks
@MichaIng
Copy link
Contributor Author

Many thanks, the fix works here as well 👍.

@mattab mattab added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label May 17, 2021
@mattab
Copy link
Member

mattab commented May 17, 2021

Thanks @MichaIng for finding this issue in the RC before the release and letting us know 💯

@MichaIng
Copy link
Contributor Author

My pleasure, thanks for developing a great self-hosted analytics platform 🙂,

@MichaIng MichaIng mentioned this issue May 17, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For errors / faults / flaws / inconsistencies etc. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Projects
None yet
Milestone
4.3.0
Development

Successfully merging a pull request may close this issue.

use status code instead of checking contents matomo-org/matomo
4 participants
@tsteur @mattab @Findus23 @MichaIng