@ghnp5
Hi
If I put this in the browser's address bar:
https://matomo.example.com:8000/console
The "console" PHP file will download to the user's machine.
Are you aware of this?
I understand this "console" code is public, but I just wonder what does this mean to the security of Matomo in general.
(I'm new to Matomo)
For now, I'll block this URL in the nginx config, hoping that it won't cause any problems, but I'm wondering what else could be "exposed" like this.
There seem to be many files under /var/www/html/ that probably really should be outside this public folder.
For example, config.ini.php - I know it has an exit instruction at the top, but still, if this file every "accidentally downloads" to the user's machine due to a config error, it would expose the database password.
@peterhashair
@ghnp5 thank you for reporting this, I think you are right although the console file is open source, it shouldn't allow downloading through an URL.
@sgiehl
@ghnp5 This is kind of a known issue. I'll close your report in favor of https://github.com/matomo-org/matomo/issues/19505, which includes this one.
If you meanwhile want to hide such files from access, feel free to configure your webserver in a way so they aren't accessible.