@alexhass opened this Issue on October 11th 2021

The security check fails, but security files have been generated.

./console core:create-security-files

Expected Behavior

No errors

Current Behavior

We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.

Possible Solution

Fix bug.

Steps to Reproduce (for Bugs)

  1. Upgrade to Matomo 4.5

Context

None

Your Environment

  • Matomo Version: 4.5
  • PHP Version: 7.3
  • Server Operating System: Debian 9
  • Browser: Google Chrome
  • Operating System: Windows 10 20H2
@alexhass commented on October 11th 2021

If I run ./console diagnostics:run I get "Unable to test if mod_pagespeed is enabled: the request to http://unknown/./console?module" what seems to be a known bug since 2017. No idea how to solve this.

@tsteur commented on October 11th 2021 Member

@alexhass the mod_pagespeed log can be ignored in this case. You might just want to manually check if mod_pagespeed is enabled or not.

If I understand correctly then some of the URLs are accessible via the browser, but they should NOT be. Which web browser are you using?

See also https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/

@alexhass commented on October 12th 2021

I habe an apache2 machine on debian9. I used the linked article to fix the issue, but it seems not working. Htaccess is allowed to change all settings. I guess your permission files are not working well.

@tsteur commented on October 12th 2021 Member

Hi @alexhass we haven't had any problems there otherwise in the past and it seems to work in general. Can you check

  • If the .htaccess files were actually created? Like does eg config/.htaccess, plugins/.htaccess and tmp/.htaccess exist?
  • If they exist, then there might be an issue with your apache set up. Like maybe mod_auth is not enabled.
@54mu3l commented on October 24th 2021

Same here. I use Matomo within Docker and the .htaccess files have been created. But still the security check fails.

If I try to access these paths with my browser I get an 403.

Why does the security check doesn't recognize the 403 status code?

Powered by GitHub Issue Mirror