You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue may allow anyone to fill any piwik install with fake stats, just getting the PIWIK javascript code included in the pages, modifying it, and calling it within a loop from a local computer.
I have the latest Piwik 2.4.1 fresh installed onto a distant server running PHP 5.5.14.
It has only 2 trusted hosts (as seen in config.ini.php) :
the one on which it is installed (stats.domainname.com)
The problem is the following :
When I locally preview my HTML/PHP files, that include the javascript tracking code, into a web browser (I mean really a local use, drag and dropping the file into the browser window, not calling it through a local server), those pages and "visits" are tracked by the stats.domainname.com install of piwik.
In the "Pages" widget, they are tracked under the following label : "Page URL not defined"
I had the same problem with Piwik 2.3.0
My test code that triggers serverside Piwik when runned from c:/test.htm into the browser
in global.ini .php, enable_trusted_host_check = 1 (and not commented)
Configuration : Windows 7 64 bits, Firefox 30.0, PHP 5.5.14
The text was updated successfully, but these errors were encountered:
Shine75
changed the title
PIWIK installed on server tracks visits from local file testing (no server)
PIWIK installed on a distant server tracks visits from files locally opened (as file://)
Jul 15, 2014
Shine75
changed the title
PIWIK installed on a distant server tracks visits from files locally opened (as file://)
PIWIK installed on a distant server tracks pages and visits from files locally opened (as file://)
Jul 15, 2014
Shine75
changed the title
PIWIK installed on a distant server tracks pages and visits from files locally opened (as file://)
PIWIK installed on a distant server tracks pages and visits from locally opened files (as file://)
Jul 17, 2014
Shine75
changed the title
PIWIK installed on a distant server tracks pages and visits from locally opened files (as file://)
Security issue : PIWIK installed on a distant server tracks pages and visits from locally opened files (as file://)
Jul 17, 2014
halfdan
changed the title
Security issue : PIWIK installed on a distant server tracks pages and visits from locally opened files (as file://)
Security issue : Piwik installed on a distant server tracks pages and visits from locally opened files (as file://)
Jul 22, 2014
Hi @Shine75
the trusted host setting only limits access to the dashboard and does not restrict tracking. Restricting tracking would be ineffective and can easily be circumvented by forging tracking requests.
Hi @halfdan
What are you saying ? Of course it's not a bug, it's just a huge security hole ! How can you close this so quickly ?
Talking about trusted hosts just to close this is.... but what ? It's just a part of the problem.
Please let's study this issue or forward it.
May I put this public to have a solution ? Who will trust a solution that can be flood by anyone so easily ?
This issue may allow anyone to fill any piwik install with fake stats, just getting the PIWIK javascript code included in the pages, modifying it, and calling it within a loop from a local computer.
I have the latest Piwik 2.4.1 fresh installed onto a distant server running PHP 5.5.14.
It has only 2 trusted hosts (as seen in config.ini.php) :
The problem is the following :
When I locally preview my HTML/PHP files, that include the javascript tracking code, into a web browser (I mean really a local use, drag and dropping the file into the browser window, not calling it through a local server), those pages and "visits" are tracked by the stats.domainname.com install of piwik.
In the "Pages" widget, they are tracked under the following label : "Page URL not defined"
I had the same problem with Piwik 2.3.0
My test code that triggers serverside Piwik when runned from c:/test.htm into the browser
test.htm
in global.ini .php, enable_trusted_host_check = 1 (and not commented)
Configuration : Windows 7 64 bits, Firefox 30.0, PHP 5.5.14
The text was updated successfully, but these errors were encountered: