Skip to content

Inconsistent use of cryptography - always try SSL first to connect to Piwik.org and other services #11016

New issue
New issue
Closed as not planned
Closed as not planned
Inconsistent use of cryptography - always try SSL first to connect to Piwik.org and other services#11016
Labels
c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.c: Website matomo.orgFor issues related to our matomo.org website.
Milestone
Priority Backlog (Help wanted)
@SimonWaters

Description

@SimonWaters
SimonWaters
opened on Dec 15, 2016

During security testing 3.0.0-rc3 I noted the following inconsistencies in the use of TLS that means someone with access to network traffic from client to servers (Piwik server or *.piwik.org) or from server to Internet could manipulate the content of pages within Piwik or executable modules, or exec within Piwik even if the end server uses TLS to protect all its page views.

  1. Download link for 3.0.0-rc2 on Piwik blog https://piwik.org/blog/2016/12/piwik-3-release-candidate/ uses HTTP not HTTPS when linking to builds.piwik.org

Mitigate this by migrating the servers to HTTPS and use HSTS to keep users using HTTPS even if they encounter an HTTPS link, including builds.piwik.org.

Although all builds are PGP signed, you wouldn't known this unless you specifically go looking for that information, when you are directed to http://piwik.org/blog/2014/11/verify-signatures-piwik-packages/ this could also mitigate or defeat people attempting to impersonate the builds.piwik.org server.

  1. Help information within in the app links to the Piwik site using HTTP when HTTPS is available.

Mitigation - use HTTPS for these links.

Use of HSTS might reduce the window for attack without needing to change all links.

Some of this information also goes via the Proxy, but still opens pages over HTTP.

  1. Feed burner information is loaded from

http://feeds.feedburner.com/Piwik

by the server to populate the Piwik Blog box by default.

plugins/RssWidget/Widgets/RssChangelog.php: $rss = new RssRenderer('http://feeds.feedburner.com/PiwikReleases');
plugins/RssWidget/Widgets/RssPiwik.php: $rss = new RssRenderer('http://feeds.feedburner.com/Piwik');

The HTTPS version of feedburner URLs are available, although there is some mixed content due to innocraft images loading over HTTP, these images aren't rendered in the RSS summary.

There doesn't appear to be any attempt to sanitise content in the RssRenderer, if the content could be relied on to be from a trusted source the current sanitisation may be sufficient, I didn't try manipulating or replacing feedburner responses, it can at least be exploited to lead users to the wrong website.

Testing of server HTTP use was incomplete, as we didn't start recording server HTTP activity before the installation was started. We noted other server initiated traffic over HTTP, but weren't able to confirm that Piwik was the source.

Metadata

Metadata

Assignees

No one assigned

    Labels

    c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.c: Website matomo.orgFor issues related to our matomo.org website.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions