Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#599 closed Task (fixed)

Make archive.sh not accessible via http

Reported by: No5251 Owned by:
Priority: critical Milestone: RobotRock
Component: Documentation Keywords:
Cc: Sensitive:

Description

In the documentation http://piwik.org/docs/setup-auto-archiving/ should be a hint to place the archive.sh on another place than the document root. If it is in the document root everybody can download it and get the secret(?) api key.

Attachments (4)

get_php5_path.patch (420 bytes) - added by pebosi 5 years ago.
first step is to get php5 path, or? :)
archive.sh.txt (1.2 KB) - added by pebosi 5 years ago.
here's a new version of archive.sh file, please review it. if i should create a patch, please ask.
599_sed.patch (1.3 KB) - added by pebosi 5 years ago.
patch file with vipsoft sed version
599_sed_2.patch (1.3 KB) - added by pebosi 5 years ago.
forget to remove cat. new version

Download all attachments as: .zip

Change History (27)

comment:1 Changed 5 years ago by vipsoft (robocoder)

Should also add a .htaccess file (Deny from all) for those who don't RTM.

Also, in misc/cron/archive.sh, add 'month' to:

for period in day week year; do

comment:2 Changed 5 years ago by No5251

"Deny from all" only restricts access on servers that recognise .htaccess. But better than nothing ...

comment:3 Changed 5 years ago by matt (mattab)

I totally agree with this and this should be fixed in the next release.
Ideally we shouldn't need to edit this file at all, so the file wouldn't contain any sensitive info:

  • we should guess where the local php-cli sits (I think there are some unix commands to do that?)
  • we should get the md5 password from config/config.ini.php
  • call the piwik api: UsersManager.getTokenAuth (userLogin, md5Password) to get the token_auth


if you want to submit a patch to do that in shell in archive.sh that would be great :-)

vipsoft, we don't need to add month as year archives all month and them sum months in the year to get the year data.

comment:4 Changed 5 years ago by matt (mattab)

  • Milestone changed from DigitalVibes to RobotRock

Changed 5 years ago by pebosi

first step is to get php5 path, or? :)

comment:5 follow-up: Changed 5 years ago by matt (mattab)

also we should update the documentation on http://piwik.org/docs/setup-auto-archiving/ when done (and clarify the last section, now override config file values *should* be done in config.ini.php

Changed 5 years ago by pebosi

here's a new version of archive.sh file, please review it. if i should create a patch, please ask.

comment:7 Changed 5 years ago by pebosi

what i dont like on my version is getting username and password but not found an easier way yet...

comment:8 Changed 5 years ago by vipsoft (robocoder)

Assuming the superuser section appears first in the config file, an alternative is to use sed, e.g.,

PIWIK_SUPERUSER=`sed '/^login = /!d;s///;q' $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed '/^password = /!d;s///;q' $PIWIK_CONFIG`

Or if these are double quoted:

PIWIK_SUPERUSER=`sed '/^login = "*/!d;s///;s/"$//;q' $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed '/^password = "*/!d;s///;s/"$//;q' $PIWIK_CONFIG`

comment:9 Changed 5 years ago by matt (mattab)

code should be solid indeed, works for

login=root
login = root
login = "root"
login	=root (with tab)

note:

  • login & password cannot contain double quote, they would be encoded as " so it's safe to sed out any double quote.
  • I don't think we can assume the [superuser] will be first, other sections containing password keys could be there below. However I think it can be done easily, by getting the line number of the [superuser] string using grep, then grepping content from this line number using
    tail -n+15 file # returns all lines after 15th line
    

comment:10 Changed 5 years ago by matt (mattab)

also, code could error if login is empty, or if password length <> 32

comment:11 Changed 5 years ago by vipsoft (robocoder)

This delays the match until it sees the [superuser] section, and ignores whitespace and double quotes.

PIWIK_SUPERUSER=`sed '/^\[superuser\]/,$!d;/^login[ \t]*=[ \t]*"*/!d;s///;s/"*[ \t]*$//;q' $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed '/^\[superuser\]/,$!d;/^password[ \t]*=[ \t]*"*/!d;s///;s/"*[ \t]*$//;q' $PIWIK_CONFIG`

It's not bulletproof, but if the [superuser] section isn't properly configured, the user has a bigger problem than archive.sh not working.

Changed 5 years ago by pebosi

patch file with vipsoft sed version

Changed 5 years ago by pebosi

forget to remove cat. new version

comment:12 Changed 5 years ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from new to closed

(In [990]) - fixes #599 Make archive.sh not accessible via http; patch by pebosi and vipsoft!

comment:13 Changed 5 years ago by matt (mattab)

thanks guys, and well done pebosi for your first patch :)

comment:14 follow-ups: Changed 5 years ago by vipsoft (robocoder)

Just a final comment to clarify this issue, classified by others as an "access vulnerability".

Piwik is secure by default. Up to and including 0.2.32, archive.sh does not ship with the superuser's API key and Piwik never configures this file with the superuser's API key. Not through the installer, not through the admin panel (no faciliy provided to do this). archive.sh requires a Unix (or Unix-like) environment (i.e., bash script), and command line php5 to be installed.

By default, archiving is an internal Piwik process. The external archive.sh file is not required by default.

To a certain degree, this vulnerability is user error. To expose the API key, the user knowingly edits this file manually, and assumed to have sufficient Unix knowledge to set up a cron job, change file permissions, etc.

comment:15 Changed 5 years ago by tez1

comment:16 Changed 5 years ago by jamieee

comment:17 in reply to: ↑ 5 Changed 5 years ago by Galadriel

comment:18 in reply to: ↑ 14 Changed 5 years ago by Jeniffer

comment:19 Changed 5 years ago by bobolok

comment:20 Changed 5 years ago by ufohvunl

comment:21 in reply to: ↑ 14 Changed 5 years ago by albass

comment:22 Changed 5 years ago by alivenk

comment:23 Changed 3 years ago by benmoore

Note: See TracTickets for help on using tickets.