Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    After todays update: serious security config errors!

    Matomo
    3
    5
    389
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • imc67
      imc67 translator last edited by imc67

      Just updated Matomo to the latest app version and this is the red security warning:

      Required Private Directories https://analytics.domain.tld/config/config.ini.php
      https://analytics.domain.tld/lang/en.json
      We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

      We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.

      nebulon d19dotca 2 Replies Last reply Reply Quote 2
      • nebulon
        nebulon Staff @imc67 last edited by

        @imc67 thanks for the heads up, looking into this now. We haven't changed anything in the package config as such, so maybe those were always accessible?

        1 Reply Last reply Reply Quote 1
        • d19dotca
          d19dotca @imc67 last edited by

          @imc67 @nebulon I can confirm I see this as well after it updated last night. But you're right, it wasn't there before so if the package wasn't changed to allow those files pubiclly then perhaps the Matomo update added that extra security check. Either way it should be fixed though. Hopefully it won't be too difficult to resolve.

          --
          Dustin Dauncey
          www.d19.ca

          1 Reply Last reply Reply Quote 0
          • nebulon
            nebulon Staff last edited by

            I've released a new package right now, which fixes this issue.

            imc67 1 Reply Last reply Reply Quote 3
            • imc67
              imc67 translator @nebulon last edited by

              @nebulon thanks!!!!!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Powered by NodeBB