Security issue? /console #20055
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
duplicate
For issues that already existed in our issue tracker and were reported previously.
Hi
If I put this in the browser's address bar:
https://matomo.example.com:8000/console
The "console" PHP file will download to the user's machine.
Are you aware of this?
I understand this "console" code is public, but I just wonder what does this mean to the security of Matomo in general.
(I'm new to Matomo)
For now, I'll block this URL in the nginx config, hoping that it won't cause any problems, but I'm wondering what else could be "exposed" like this.
There seem to be many files under
/var/www/html/
that probably really should be outside this public folder.For example,
config.ini.php
- I know it has anexit
instruction at the top, but still, if this file every "accidentally downloads" to the user's machine due to a config error, it would expose the database password.The text was updated successfully, but these errors were encountered: