After todays update: serious security config errors!

imc67

Just updated Matomo to the latest app version and this is the red security warning:

Required Private Directories https://analytics.domain.tld/config/config.ini.php
https://analytics.domain.tld/lang/en.json
We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.

nebulon

@imc67 thanks for the heads up, looking into this now. We haven't changed anything in the package config as such, so maybe those were always accessible?

d19dotca

@imc67 @nebulon I can confirm I see this as well after it updated last night. But you're right, it wasn't there before so if the package wasn't changed to allow those files pubiclly then perhaps the Matomo update added that extra security check. Either way it should be fixed though. Hopefully it won't be too difficult to resolve.

nebulon

I've released a new package right now, which fixes this issue.

imc67

@nebulon thanks!!!!!