@ghnp5 opened this Issue on November 26th 2022


If I put this in the browser's address bar:


The "console" PHP file will download to the user's machine.

Are you aware of this?

I understand this "console" code is public, but I just wonder what does this mean to the security of Matomo in general.
(I'm new to Matomo)

For now, I'll block this URL in the nginx config, hoping that it won't cause any problems, but I'm wondering what else could be "exposed" like this.

There seem to be many files under /var/www/html/ that probably really should be outside this public folder.
For example, config.ini.php - I know it has an exit instruction at the top, but still, if this file every "accidentally downloads" to the user's machine due to a config error, it would expose the database password.

@peterhashair commented on November 27th 2022 Contributor

@ghnp5 thank you for reporting this, I think you are right although the console file is open source, it shouldn't allow downloading through an URL.

@sgiehl commented on November 28th 2022 Member

@ghnp5 This is kind of a known issue. I'll close your report in favor of https://github.com/matomo-org/matomo/issues/19505, which includes this one.
If you meanwhile want to hide such files from access, feel free to configure your webserver in a way so they aren't accessible.

This Issue was closed on November 28th 2022
Powered by GitHub Issue Mirror