@Shine75 opened this Issue on July 15th 2014

This issue may allow anyone to fill any piwik install with fake stats, just getting the PIWIK javascript code included in the pages, modifying it, and calling it within a loop from a local computer.


I have the latest Piwik 2.4.1 fresh installed onto a distant server running PHP 5.5.14.
It has only 2 trusted hosts (as seen in config.ini.php) :

  • the one on which it is installed (stats.domainname.com)
  • and the website it is supposed to track (www.domainname.com)

The problem is the following :
When I locally preview my HTML/PHP files, that include the javascript tracking code, into a web browser (I mean really a local use, drag and dropping the file into the browser window, not calling it through a local server), those pages and "visits" are tracked by the stats.domainname.com install of piwik.

In the "Pages" widget, they are tracked under the following label : "Page URL not defined"

I had the same problem with Piwik 2.3.0


My test code that triggers serverside Piwik when runned from c:/test.htm into the browser

test.htm

<HTML>
<BODY>
    <script>
        var _paq = _paq || [];
        _paq.push(["enableLinkTracking"]);

        (function() {
            var u=(("https:" == document.location.protocol) ? "https" : "http") + "://stats.domainname.com/";
            _paq.push(["setTrackerUrl", u+"piwik.php"]);
            _paq.push(["setSiteId", "1"]);

            var d=document, g=d.createElement("script"), s=d.getElementsByTagName("script")[0];
            g.type = "text/javascript";
            g.defer = true;
            g.async = true;
            g.src = u+"piwik.js";
            s.parentNode.insertBefore(g,s);
        })();

        _paq.push(['setDocumentTitle', "test"]);
        _paq.push(['trackPageView']);
    </script>
</BODY>
</HTML>

in global.ini .php, enable_trusted_host_check = 1 (and not commented)


Configuration : Windows 7 64 bits, Firefox 30.0, PHP 5.5.14

@halfdan commented on July 22nd 2014 Member

Hi @Shine75
the trusted host setting only limits access to the dashboard and does not restrict tracking. Restricting tracking would be ineffective and can easily be circumvented by forging tracking requests.

Closing as this is not a bug.

@Shine75 commented on July 24th 2014

Hi @halfdan
What are you saying ? Of course it's not a bug, it's just a huge security hole ! How can you close this so quickly ?

Talking about trusted hosts just to close this is.... but what ? It's just a part of the problem.
Please let's study this issue or forward it.
May I put this public to have a solution ? Who will trust a solution that can be flood by anyone so easily ?

@mattab commented on August 3rd 2014 Member

@Shine75 see New admin setting: whitelist website URLs or hosts allowed to tracked visits #588

@mattab commented on April 6th 2021 Member

It will also be fixed by default for all users in https://github.com/matomo-org/matomo/issues/17017

This Issue was closed on July 22nd 2014
Powered by GitHub Issue Mirror