Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Full Path Disclosure #14464

Closed
GIJohnathan opened this issue May 20, 2019 · 8 comments

Comments

Projects
None yet
4 participants
@GIJohnathan
Copy link

commented May 20, 2019

A full path disclosure vulnerability was discovered in Matomo (v3.9.1) where a user can trigger a particular error to discover the full path of Matomo on the disk.

PAYLOAD
http://example.com/index.php?date=2019-04-20%2C2019-05-19&forceView=1&viewDataTable=test&module=API&action=get&widget=1&disableLink=0&idSite=1&period=day&columns=nb_outlinks%2Cnb_uniq_outlinks&colors={%22backgroundColor%22%3A%22%23ffffff%22%2C%22lineColor%22%3A%22%23162c4a%22%2C%22minPointColor%22%3A%22%23ff7f7f%22%2C%22maxPointColor%22%3A%22%2375bf7c%22%2C%22lastPointColor%22%3A%22%2355aaff%22%2C%22fillColor%22%3A%22%23ffffff%22

RESULT:

Neither the property "getRows" nor one of the methods "getRows()", "getgetRows()"/"isgetRows()" or "__call()" exist and have public access in class "Piwik\DataTable\Map".
in /var/www/html/mato/piwik/plugins/CoreVisualizations/templates/_dataTableViz_htmlTable.twig line 21

Discovered by Gionathan Armando Reale

CVE-2019-12215

@Findus23

This comment has been minimized.

Copy link
Member

commented May 20, 2019

Hi,

On my Matomo instance this only shows the generic A fatal error occurred warning. Do you by chance have set up your PHP to show more details than it should in production?

@fdellwing

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

I can confirm this problem, but it only works if the user has at least view access to the site.

No custom PHP settings are in place.

@GIJohnathan

This comment has been minimized.

Copy link
Author

commented May 20, 2019

No custom settings here and yeah it requires authentication I did state that :)

@fdellwing

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

This is the code that displays this additional error information:

{% if isAllowedToTroubleshootAsSuperUser or not isAnonymousUser %}
<p>
The following error just broke Matomo{% if showVersion %} (v{{ piwikVersion }}){% endif %}:
</p>
<pre>{{ lastError.message }}
{% if lastError.backtrace is defined %}{{ lastError.backtrace }}{% else %}in {{ lastError.file }} line {{ lastError.line }}{% endif %}
</pre>
<hr>
<h3>Troubleshooting</h3>
Follow these steps to solve the issue or report it to the team:
<ul>
<li>
If you have just updated Matomo to the latest version, please try to restart your web server.
This will clear the PHP opcache which may solve the problem.
</li>
<li>
If this is the first time you see this error, please try refresh the page.
</li>
<li>
<strong>If this error continues to happen</strong>, we appreciate if you send the
<a href="mailto:hello@matomo.org?subject={{ 'Fatal error in Matomo ' ~ piwikVersion|e('url') }}&body={{ lastError.message|e('url') }}%20in%20{{ lastError.file|e('url') }}%20{{ lastError.line|e('url') }}%20using%20PHP%20{{ constant('PHP_VERSION') }}">error report</a>
to the Matomo team.
</li>
</ul>
<hr/>
{% endif %}

So @Findus23 I would guess, you tried as anonymous user?

The easy fix would be probably to remove the basepath from lastError.file?

@Findus23

This comment has been minimized.

Copy link
Member

commented May 20, 2019

Not sure what I did wrong before, but now I can get the same safemode page. But I doubt that showing the full backtrace to superusers isn't that much of a security issue and helps greatly with debugging.

I'm not sure what is causing the exception itself as I can also reproduce it with https://dev.matomo/index.php?date=2019-04-20%2C2019-05-19&module=API&action=get&idSite=1&period=day
so I guess there is a parameter missing from the request.

@fdellwing

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

The problem is, that this page gets displayed for all users because the if has an or? If this information would only been shown after adding i_am_super_user the debug can still happen?

@GIJohnathan

This comment has been minimized.

Copy link
Author

commented May 20, 2019

Hi, @fdellwing has a great point, @Findus23 can you confirm this is a vulnerability please?

@sgiehl

This comment has been minimized.

Copy link
Member

commented May 20, 2019

The issue why that message appears at all was fixed in #14023
In general please avoid reporting path disclosures, as we don't consider them as security vulnerabilities. See https://matomo.org/security/

If you have any other urls that are throwing any kind of unexpected error, feel free to create issues for those errors (not any containing path disclosures).

@sgiehl sgiehl closed this May 20, 2019

@sgiehl sgiehl added the duplicate label May 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.