Skip to content

error private directories are accessible #18132

New issue
New issue
Closed
#18398
Closed
error private directories are accessible#18132
#18398
Assignees
bx80
Labels
BugFor errors / faults / flaws / inconsistencies etc.RegressionIndicates a feature used to work in a certain way but it no longer does even though it should.not-in-changelogFor issues or pull requests that should not be included in our release changelog on matomo.org.
Milestone
4.7.0
@alexhass

Description

@alexhass
alexhass
opened on Oct 11, 2021

The security check fails, but security files have been generated.

./console core:create-security-files

Expected Behavior

No errors

Current Behavior

We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.

Possible Solution

Fix bug.

Steps to Reproduce (for Bugs)

  1. Upgrade to Matomo 4.5

Context

None

Your Environment

  • Matomo Version: 4.5
  • PHP Version: 7.3
  • Server Operating System: Debian 9
  • Browser: Google Chrome
  • Operating System: Windows 10 20H2

Metadata

Metadata

Assignees

Labels

BugFor errors / faults / flaws / inconsistencies etc.RegressionIndicates a feature used to work in a certain way but it no longer does even though it should.not-in-changelogFor issues or pull requests that should not be included in our release changelog on matomo.org.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions