If I put this in the browser's address bar:
The "console" PHP file will download to the user's machine.
Are you aware of this?
I understand this "console" code is public, but I just wonder what does this mean to the security of Matomo in general.
(I'm new to Matomo)
For now, I'll block this URL in the nginx config, hoping that it won't cause any problems, but I'm wondering what else could be "exposed" like this.
There seem to be many files under
/var/www/html/ that probably really should be outside this public folder.
config.ini.php - I know it has an
exit instruction at the top, but still, if this file every "accidentally downloads" to the user's machine due to a config error, it would expose the database password.
@ghnp5 thank you for reporting this, I think you are right although the console file is open source, it shouldn't allow downloading through an URL.