Security: Anonymous access to 'Sites Management' even in 'NO ACCESS' mode #635
Comments
|
The tracker code is public information. The site manager page may be accessible, but it doesn’t display any site information to which the anonymous user has ‘no access’. I suppose we could restrict access to even this page. The feedback module is for the public to submit feedback. If you read the plugin description from the plugin admin screen, it reads: ``` You’re welcome to deactivate this plugin. |
|
Oops. Given ticket #554, we won’t be blocking access to the site manager page. |
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Anonymous users can still access the site management section of Piwik even when they have been restricted with ‘No Access’
Calling the URL’s;
/index.php?module=SitesManager&action=displayJavascriptCode&idsite=1
/index.php?module=SitesManager&action=index&idsite=1
/index.php?module=Feedback&action=index&idsite=1&keepThis=true&TB_iframe=true&height=400&width=350
Will all display results with out authentication.
Other pages maybe affected, but these are the ones I know of.
The data exposed isn’t critical but still poses a minor security issue.
The text was updated successfully, but these errors were encountered: