<![CDATA[After todays update: serious security config errors!]]>Just updated Matomo to the latest app version and this is the red security warning:

Required Private Directories https://analytics.domain.tld/config/config.ini.php
https://analytics.domain.tld/lang/en.json
We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.

]]>https://forum.cloudron.io/topic/5080/after-todays-update-serious-security-config-errorsRSS for NodeThu, 16 Apr 2026 05:57:20 GMTMon, 17 May 2021 20:25:20 GMT60<![CDATA[Reply to After todays update: serious security config errors! on Tue, 18 May 2021 19:37:25 GMT]]>@nebulon thanks!!!!!

]]>https://forum.cloudron.io/post/31515https://forum.cloudron.io/post/31515Tue, 18 May 2021 19:37:25 GMT<![CDATA[Reply to After todays update: serious security config errors! on Tue, 18 May 2021 19:23:26 GMT]]>I've released a new package right now, which fixes this issue.

]]>https://forum.cloudron.io/post/31513https://forum.cloudron.io/post/31513Tue, 18 May 2021 19:23:26 GMT<![CDATA[Reply to After todays update: serious security config errors! on Tue, 18 May 2021 15:27:48 GMT]]>@imc67 @nebulon I can confirm I see this as well after it updated last night. But you're right, it wasn't there before so if the package wasn't changed to allow those files pubiclly then perhaps the Matomo update added that extra security check. Either way it should be fixed though. Hopefully it won't be too difficult to resolve.

]]>https://forum.cloudron.io/post/31486https://forum.cloudron.io/post/31486Tue, 18 May 2021 15:27:48 GMT<![CDATA[Reply to After todays update: serious security config errors! on Tue, 18 May 2021 15:24:44 GMT]]>@imc67 thanks for the heads up, looking into this now. We haven't changed anything in the package config as such, so maybe those were always accessible?

]]>https://forum.cloudron.io/post/31485https://forum.cloudron.io/post/31485Tue, 18 May 2021 15:24:44 GMT