Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue? /console #20055

Closed
ghnp5 opened this issue Nov 26, 2022 · 2 comments
Closed

Security issue? /console #20055

ghnp5 opened this issue Nov 26, 2022 · 2 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously.

Comments

@ghnp5
Copy link

ghnp5 commented Nov 26, 2022

Hi

If I put this in the browser's address bar:

https://matomo.example.com:8000/console

The "console" PHP file will download to the user's machine.

Are you aware of this?

I understand this "console" code is public, but I just wonder what does this mean to the security of Matomo in general.
(I'm new to Matomo)

For now, I'll block this URL in the nginx config, hoping that it won't cause any problems, but I'm wondering what else could be "exposed" like this.

There seem to be many files under /var/www/html/ that probably really should be outside this public folder.
For example, config.ini.php - I know it has an exit instruction at the top, but still, if this file every "accidentally downloads" to the user's machine due to a config error, it would expose the database password.

@ghnp5 ghnp5 added Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. To Triage An issue awaiting triage by a Matomo core team member labels Nov 26, 2022
@peterhashair
Copy link
Contributor

@ghnp5 thank you for reporting this, I think you are right although the console file is open source, it shouldn't allow downloading through an URL.

@peterhashair peterhashair added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Needs priority decision This issue may need to be added to the current milestone by Product Manager and removed Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. To Triage An issue awaiting triage by a Matomo core team member Needs priority decision This issue may need to be added to the current milestone by Product Manager labels Nov 27, 2022
@peterhashair peterhashair added this to the For Prioritization milestone Nov 27, 2022
@sgiehl
Copy link
Member

sgiehl commented Nov 28, 2022

@ghnp5 This is kind of a known issue. I'll close your report in favor of #19505, which includes this one.
If you meanwhile want to hide such files from access, feel free to configure your webserver in a way so they aren't accessible.

@sgiehl sgiehl closed this as completed Nov 28, 2022
@sgiehl sgiehl removed this from the For Prioritization milestone Nov 28, 2022
@sgiehl sgiehl added the duplicate For issues that already existed in our issue tracker and were reported previously. label Nov 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. duplicate For issues that already existed in our issue tracker and were reported previously.
Projects
None yet
Development

No branches or pull requests

3 participants