Opened 5 years ago

Closed 5 years ago

#571 closed Bug (fixed)

Filesystem access equals root access

Reported by: geocar Owned by:
Priority: major Milestone: RobotRock
Component: Security Keywords:
Cc: Sensitive:

Description

In addition to being able to login as root password=1234
I can also login using user root password=81dc9bdb52d04dc20036dbd8313ed055

This can have serious consequences if anyone can find a way to print out config/config.ini.php

There may be other situations where an attacker knows the MD5 hash (or other hash should you change digests) but not the password.

Change History (3)

comment:1 Changed 5 years ago by vipsoft (robocoder)

  • Milestone set to RobotRock

What are you proposing be changed?

(I assume by "root", you meant the Piwik superuser.)

comment:2 Changed 5 years ago by geocar

(I assume by "root", you meant the Piwik superuser.)

Yes. My config.ini.php file looks like this:

[superuser]

login = root

password = 81dc9bdb52d04dc20036dbd8313ed055

With these settings, I can log in with username=root, password=1234 *as well as* username=root, password=81dc9bdb52d04dc20036dbd8313ed055

What are you proposing be changed?

Don't compare with the password as listed in the ini-file. Instead, only compare with its hash.

in plugins/Login/Controller.php, replace this:

if(strlen($password) != 32)
{

$password = md5($password);

}

with this:

$password = md5($password);

comment:3 Changed 5 years ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from new to closed

fixed in [943]

  • CHANGED previously, it was possible to login using the md5 hash of the password as the password, but for best practises and increased security we removed this feature.
  • CHANGED previously, it was possible to login using the "one click logme" as described in the <a href='http://piwik.org/faq/how-to/#faq_30'>FAQ</a>; we added the rule that this method cannot be used to login as the Super User.
  • CHANGED slight change in the API of UsersManager.getTokenAuth($userLogin, $md5Password); previously, the second parameter could be either the password or the md5 hash of the password. For increased security and consistency, the second parameter is now required to be the md5 of the password. Please call md5() on the string before calling this API method.
Note: See TracTickets for help on using tickets.