@SR-mkuhn opened this Issue on July 2nd 2015

via http://forum.piwik.org/read.php?2,127703

There seems to happen array to string conversions in 3 places in Piwik 2.14.0:

WARNING: /srv/www/htdocs/piwik/core/Plugin/Report.php(799): Warning - ucfirst() expects parameter 1 to be string, array given - Piwik 2.14.0

public static function factory($module, $action):
  $api = $module . '.' . ucfirst($action);

WARNING: /srv/www/htdocs/piwik/core/Http/ControllerResolver.php(63): Notice - Array to string conversion - Piwik 2.14.0

public function getController($module, $action, array &$parameters):
   throw new Exception(sprintf("Action '%s' not found in the module '%s'", $action, $module));

WARNING: /srv/www/htdocs/piwik/core/Http/ControllerResolver.php(132): Warning - substr() expects parameter 1 to be string, array given - Piwik 2.14.0

in private function isReportMenuAction($action):
   $startsWithMenu = (Report::PREFIX_ACTION_IN_MENU === substr($action, 0, strlen(Report::PREFIX_ACTION_IN_MENU)));


@tsteur commented on July 2nd 2015 Member

When does it happen? Can you let us know the steps to reproduce? Maybe you have a URL? Feel free to remove the domain of the URL and possible token_auth parameters

@SR-mkuhn commented on July 3rd 2015

This happend during a penetration test via acunetix.


This is from the data-field in the piwik-session table (database session handling is activated):

As those errors pile up in this field, an attacker can fill a database easily.

@mattab commented on July 15th 2015 Member

Hi @SR-mkuhn
The payload is kinda designed to trigger warning and notices (ie. passing arrays instead of strings) so I don't think we need to fix these.

@SR-mkuhn commented on July 16th 2015

But wouldn't it be a security improvement to have a preliminary test if your inputs (and types) are sane?

This Issue was closed on July 15th 2015
Powered by GitHub Issue Mirror