Full Path Disclosure

[GIJohnathan]

A full path disclosure vulnerability was discovered in Matomo (v3.9.1) where a user can trigger a particular error to discover the full path of Matomo on the disk.

PAYLOAD
http://example.com/index.php?date=2019-04-20%2C2019-05-19&forceView=1&viewDataTable=test&module=API&action=get&widget=1&disableLink=0&idSite=1&period=day&columns=nb_outlinks%2Cnb_uniq_outlinks&colors={%22backgroundColor%22%3A%22%23ffffff%22%2C%22lineColor%22%3A%22%23162c4a%22%2C%22minPointColor%22%3A%22%23ff7f7f%22%2C%22maxPointColor%22%3A%22%2375bf7c%22%2C%22lastPointColor%22%3A%22%2355aaff%22%2C%22fillColor%22%3A%22%23ffffff%22

RESULT:

Neither the property "getRows" nor one of the methods "getRows()", "getgetRows()"/"isgetRows()" or "__call()" exist and have public access in class "Piwik\DataTable\Map".
in /var/www/html/mato/piwik/plugins/CoreVisualizations/templates/_dataTableViz_htmlTable.twig line 21

Discovered by Gionathan Armando Reale

CVE-2019-12215

[Findus23]

Hi,

On my Matomo instance this only shows the generic A fatal error occurred warning. Do you by chance have set up your PHP to show more details than it should in production?

[fdellwing]

I can confirm this problem, but it only works if the user has at least view access to the site.

No custom PHP settings are in place.

[GIJohnathan]

No custom settings here and yeah it requires authentication I did state that :)

[fdellwing]

This is the code that displays this additional error information:

matomo/plugins/CorePluginsAdmin/templates/safemode.twig

Lines 35 to 63 in 17ca84d

	{% if isAllowedToTroubleshootAsSuperUser or not isAnonymousUser %}
	<p>
	The following error just broke Matomo{% if showVersion %} (v{{ piwikVersion }}){% endif %}:
	</p>
	<pre>{{ lastError.message }}
	{% if lastError.backtrace is defined %}{{ lastError.backtrace }}{% else %}in {{ lastError.file }} line {{ lastError.line }}{% endif %}
	</pre>
	<hr>
	<h3>Troubleshooting</h3>
	Follow these steps to solve the issue or report it to the team:
	<ul>
	<li>
	If you have just updated Matomo to the latest version, please try to restart your web server.
	This will clear the PHP opcache which may solve the problem.
	</li>
	<li>
	If this is the first time you see this error, please try refresh the page.
	</li>
	<li>
	<strong>If this error continues to happen</strong>, we appreciate if you send the
	<a href="mailto:hello@matomo.org?subject={{ 'Fatal error in Matomo ' ~ piwikVersion|e('url') }}&body={{ lastError.message|e('url') }}%20in%20{{ lastError.file|e('url') }}%20{{ lastError.line|e('url') }}%20using%20PHP%20{{ constant('PHP_VERSION') }}">error report</a>
	to the Matomo team.
	</li>
	</ul>
	<hr/>
	{% endif %}

So @Findus23 I would guess, you tried as anonymous user?

The easy fix would be probably to remove the basepath from lastError.file?

[Findus23]

Not sure what I did wrong before, but now I can get the same safemode page. But I doubt that showing the full backtrace to superusers isn't that much of a security issue and helps greatly with debugging.

I'm not sure what is causing the exception itself as I can also reproduce it with https://dev.matomo/index.php?date=2019-04-20%2C2019-05-19&module=API&action=get&idSite=1&period=day
so I guess there is a parameter missing from the request.

[fdellwing]

The problem is, that this page gets displayed for all users because the if has an or? If this information would only been shown after adding i_am_super_user the debug can still happen?

[GIJohnathan]

Hi, @fdellwing has a great point, @Findus23 can you confirm this is a vulnerability please?

[sgiehl]

The issue why that message appears at all was fixed in #14023
In general please avoid reporting path disclosures, as we don't consider them as security vulnerabilities. See https://matomo.org/security/

If you have any other urls that are throwing any kind of unexpected error, feel free to create issues for those errors (not any containing path disclosures).