Skip to content

Matomo leaks the IP address of the backend user to plugins.matomo.org #20713

New issue
New issue
Closed
#20998
Closed
Matomo leaks the IP address of the backend user to plugins.matomo.org#20713
#20998
Assignees
bx80
Labels
EnhancementFor new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.c: PrivacyFor issues that impact or improve the privacy.
Milestone
5.0.0
@ziegenberg

Description

@ziegenberg
ziegenberg
opened on May 12, 2023

Context

The marketplace plugin (https://matomo-instance.example/index.php?module=Marketplace&action=overview) performs several API calls to http://plugins.matomo.org using curl in the backend. Those calls contain several headers:

POST /api/2.0/themes?keywords=&purchase_type=&query=&sort=lastupdated&release_channel=latest_stable&prefer_stable=1&piwik=4.14.2&php=8.0.28&mysql=8.0.29-21&num_users=5&num_websites=7 HTTP/1.1
Host: plugins.matomo.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: */*
Accept-Encoding: deflate, gzip, br
X-Forwarded-For: 128.130.xxx.xxx,128.130.xxx.xxx
Via: 4.14.2  (Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0)
Content-Length: 73
Content-Type: application/x-www-form-urlencoded
	
access_token=XXXXXX


POST /api/2.0/consumer/validate?release_channel=latest_stable&prefer_stable=1&piwik=4.14.2&php=8.0.28&mysql=8.0.29-21&num_users=5&num_websites=7 HTTP/1.1
Host: plugins.matomo.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: */*
Accept-Encoding: deflate, gzip, br
X-Forwarded-For: 128.130.xxx.xxx,128.130.xxx.xxx
Via: 4.14.2  (Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0)
Content-Length: 73
Content-Type: application/x-www-form-urlencoded

access_token=XXXXXX

One of the headers is an X-Forwarded-For line containing the IP address of the user visiting the site https://matomo-instance.example/index.php?module=Marketplace&action=overview

This leaks the IP address of the user (most likely the admins) to Matomo.

The reason is Piwik\Http is explicitly setting the X-Forwarded-For: for all calls made by the backend:

https://github.com/matomo-org/matomo/blame/bb97c105b9134d11045e48fd98fb90b53c2246c6/core/Http.php#L253-L256

Expected Behavior

Matomo should only set the X-Forwarded-For: header when it's really deemed necessary and required by a standard.

Current Behavior

Matomo leaks the IP address of the user (most likely the admins) to plugins.matomo.org.

Possible Solution

-

Steps to Reproduce (for Bugs)

  1. Open https://demo.matomo.cloud/index.php?module=Marketplace&action=overview

Your Environment

  • Matomo Version: 4.14.2
  • PHP Version: 8.0.28
  • Server Operating System: CentOS Stream 8

Metadata

Metadata

Assignees

Labels

EnhancementFor new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.c: PrivacyFor issues that impact or improve the privacy.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions