After todays update: serious security config errors!
-
Just updated Matomo to the latest app version and this is the red security warning:
Required Private Directories https://analytics.domain.tld/config/config.ini.php
https://analytics.domain.tld/lang/en.json
We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.
-
Just updated Matomo to the latest app version and this is the red security warning:
Required Private Directories https://analytics.domain.tld/config/config.ini.php
https://analytics.domain.tld/lang/en.json
We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.
-
Just updated Matomo to the latest app version and this is the red security warning:
Required Private Directories https://analytics.domain.tld/config/config.ini.php
https://analytics.domain.tld/lang/en.json
We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.
@imc67 @nebulon I can confirm I see this as well after it updated last night. But you're right, it wasn't there before so if the package wasn't changed to allow those files pubiclly then perhaps the Matomo update added that extra security check. Either way it should be fixed though. Hopefully it won't be too difficult to resolve.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login