Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue : Piwik installed on a distant server tracks pages and visits from locally opened files (as file://) #5831

Closed
Shine75 opened this issue Jul 15, 2014 · 4 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc. duplicate For issues that already existed in our issue tracker and were reported previously.

Comments

@Shine75
Copy link

Shine75 commented Jul 15, 2014

This issue may allow anyone to fill any piwik install with fake stats, just getting the PIWIK javascript code included in the pages, modifying it, and calling it within a loop from a local computer.


I have the latest Piwik 2.4.1 fresh installed onto a distant server running PHP 5.5.14.
It has only 2 trusted hosts (as seen in config.ini.php) :

  • the one on which it is installed (stats.domainname.com)
  • and the website it is supposed to track (www.domainname.com)

The problem is the following :
When I locally preview my HTML/PHP files, that include the javascript tracking code, into a web browser (I mean really a local use, drag and dropping the file into the browser window, not calling it through a local server), those pages and "visits" are tracked by the stats.domainname.com install of piwik.

In the "Pages" widget, they are tracked under the following label : "Page URL not defined"

I had the same problem with Piwik 2.3.0


My test code that triggers serverside Piwik when runned from c:/test.htm into the browser

test.htm

<HTML>
<BODY>
    <script>
        var _paq = _paq || [];
        _paq.push(["enableLinkTracking"]);

        (function() {
            var u=(("https:" == document.location.protocol) ? "https" : "http") + "://stats.domainname.com/";
            _paq.push(["setTrackerUrl", u+"piwik.php"]);
            _paq.push(["setSiteId", "1"]);

            var d=document, g=d.createElement("script"), s=d.getElementsByTagName("script")[0];
            g.type = "text/javascript";
            g.defer = true;
            g.async = true;
            g.src = u+"piwik.js";
            s.parentNode.insertBefore(g,s);
        })();

        _paq.push(['setDocumentTitle', "test"]);
        _paq.push(['trackPageView']);
    </script>
</BODY>
</HTML>

in global.ini .php, enable_trusted_host_check = 1 (and not commented)


Configuration : Windows 7 64 bits, Firefox 30.0, PHP 5.5.14

@Shine75 Shine75 changed the title PIWIK installed on server tracks visits from local file testing (no server) PIWIK installed on a distant server tracks visits from files locally opened (as file://) Jul 15, 2014
@Shine75 Shine75 changed the title PIWIK installed on a distant server tracks visits from files locally opened (as file://) PIWIK installed on a distant server tracks pages and visits from files locally opened (as file://) Jul 15, 2014
@Shine75 Shine75 changed the title PIWIK installed on a distant server tracks pages and visits from files locally opened (as file://) PIWIK installed on a distant server tracks pages and visits from locally opened files (as file://) Jul 17, 2014
@Shine75 Shine75 changed the title PIWIK installed on a distant server tracks pages and visits from locally opened files (as file://) Security issue : PIWIK installed on a distant server tracks pages and visits from locally opened files (as file://) Jul 17, 2014
@halfdan halfdan changed the title Security issue : PIWIK installed on a distant server tracks pages and visits from locally opened files (as file://) Security issue : Piwik installed on a distant server tracks pages and visits from locally opened files (as file://) Jul 22, 2014
@halfdan
Copy link
Member

halfdan commented Jul 22, 2014

Hi @Shine75
the trusted host setting only limits access to the dashboard and does not restrict tracking. Restricting tracking would be ineffective and can easily be circumvented by forging tracking requests.

Closing as this is not a bug.

@halfdan halfdan closed this as completed Jul 22, 2014
@Shine75
Copy link
Author

Shine75 commented Jul 24, 2014

Hi @halfdan
What are you saying ? Of course it's not a bug, it's just a huge security hole ! How can you close this so quickly ?

Talking about trusted hosts just to close this is.... but what ? It's just a part of the problem.
Please let's study this issue or forward it.
May I put this public to have a solution ? Who will trust a solution that can be flood by anyone so easily ?

@mattab
Copy link
Member

mattab commented Aug 3, 2014

@Shine75 see New admin setting: whitelist website URLs or hosts allowed to tracked visits #588

@mattab mattab added the Bug For errors / faults / flaws / inconsistencies etc. label Sep 20, 2014
@mattab
Copy link
Member

mattab commented Apr 6, 2021

It will also be fixed by default for all users in #17017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc. duplicate For issues that already existed in our issue tracker and were reported previously.
Projects
None yet
Development

No branches or pull requests

3 participants