-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make archive.sh not accessible via http #599
Comments
Should also add a .htaccess file (Deny from all) for those who don’t RTM. Also, in misc/cron/archive.sh, add ‘month’ to: ``` |
“Deny from all” only restricts access on servers that recognise .htaccess. But better than nothing … |
I totally agree with this and this should be fixed in the next release. if you want to submit a patch to do that in shell in archive.sh that would be great :-) vipsoft, we don’t need to add month as year archives all month and them sum months in the year to get the year data. |
Attachment: first step is to get php5 path, or? :) |
also we should update the documentation on http://piwik.org/docs/setup-auto-archiving/ when done (and clarify the last section, now override config file values should be done in config.ini.php |
to get current path of archive script automatically (to read config file) http://fritzthomas.com/open-source/linux/384-how-to-get-the-absolute-path-within-the-running-bash-script/ |
Attachment: here’s a new version of archive.sh file, please review it. if i should create a patch, please ask. |
what i dont like on my version is getting username and password but not found an easier way yet… |
Assuming the superuser section appears first in the config file, an alternative is to use sed, e.g., ``` Or if these are double quoted: ``` |
code should be solid indeed, works for ``` note: ``` |
also, code could error if login is empty, or if password length <> 32 |
This delays the match until it sees the [superuser] section, and ignores whitespace and double quotes. ``` It’s not bulletproof, but if the [superuser] section isn’t properly configured, the user has a bigger problem than archive.sh not working. |
Attachment: patch file with vipsoft sed version |
Attachment: forget to remove cat. new version |
(In 990) – fixes #599 Make archive.sh not accessible via http; patch by pebosi and vipsoft! |
thanks guys, and well done pebosi for your first patch :) |
Just a final comment to clarify this issue, classified by others as an “access vulnerability”. Piwik is secure by default. Up to and including 0.2.32, archive.sh does not ship with the superuser’s API key and Piwik never configures this file with the superuser’s API key. Not through the installer, not through the admin panel (no faciliy provided to do this). archive.sh requires a Unix (or Unix-like) environment (i.e., bash script), and command line php5 to be installed. By default, archiving is an internal Piwik process. The external archive.sh file is not required by default. To a certain degree, this vulnerability is user error. To expose the API key, the user knowingly edits this file manually, and assumed to have sufficient Unix knowledge to set up a cron job, change file permissions, etc. |
In the documentation http://piwik.org/docs/setup-auto-archiving/ should be a hint to place the archive.sh on another place than the document root. If it is in the document root everybody can download it and get the secret(?) api key.
The text was updated successfully, but these errors were encountered: