Skip to content

Make JSON config / package static files unreachable via a GET request #18128

New issue
New issue
Closed
#19051
Closed
Make JSON config / package static files unreachable via a GET request#18128
#19051
Assignees
sgiehl
Labels
Help wantedBeginner friendly issues or issues where we'd highly appreciate community's help and involvement.c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
4.10.0
@samjf

Description

@samjf
samjf
opened on Oct 11, 2021

It seems that various JSON configuration files are easily viewable by requesting them with a simple GET request. Some examples of these are:

  • matomo-domain.example.com/plugins/AbTesting/plugin.json
  • matomo-domain.example.com/plugins/CustomVariables/plugin.json
  • matomo-domain.example.com/package-lock.json

Some various files I've observed:

  • composer.json
  • plugin.json
  • package-lock.json

There could be useful to an attacker trying to monitor the patch version of Matomo sites, so the access settings should be made less permissive so that JSON files aren't as open to the web.

A useful command to enumerate over these from the core project is
find ./ -iname '*.json' | egrep -v '(vendor|lang|node_modules)'

Metadata

Metadata

Assignees

Labels

Help wantedBeginner friendly issues or issues where we'd highly appreciate community's help and involvement.c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions