search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.85k stars 2.64k forks source link

mkdir ($dir,"777") #11843

Closed GerardBol closed 4 years ago

GerardBol commented 7 years ago

I use rsfirewall in my joomla site

this rsfirewall detects mkdir($dir,"777") in the source of piwik. Why 777 and set all access open?

Findus23 commented 7 years ago

Do you know which file rsfirewall is complaining about? Most reference to 777 I found are in the tests, which shouldn't influence piwik users (as the tests/ directory isn't included in the piwik zip)

Findus23 commented 7 years ago

I found two places where piwik does a chmod 777. All other chmod are using 755 or 600 https://github.com/piwik/piwik/blob/3.x-dev/core/Profiler.php#L324 https://github.com/piwik/piwik/blob/3.x-dev/core/Db/BatchInsert.php#L268

GerardBol commented 7 years ago

pw/Piwik/core/Updater/Migration/Db/Factory.php The file has been modified woensdag 31 mei 2017

Possible PHP Injection - function name contains only numbers.

_1(10)View file contents

pw/Piwik/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($path, 0777View file contents

pw/Piwik/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php The file has been modified dinsdag 15 november 2016

Unsafe directory creation - 0777 permissions.

mkdir($cacheDir, 0777View file contents

pw/Piwik/vendor/pear/archive_tar/Archive/Tar.php The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($v_header['filename'], 0777View file contents

pw/Piwik/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($dir, 0777View file contents

pw/Piwik/vendor/twig/twig/lib/Twig/Cache/Filesystem.php The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($dir, 0777View file contents

pw/Piwik/vendor/twig/twig/.php_cs.dist The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

.php_cs.distView file contents

pw/Piwik/vendor/piwik/decompress/libs/PclZip/pclzip.lib.php The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($p_dir, 0777View file contents

pw/Piwik/vendor/szymach/c-pchart/.scrutinizer.yml The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

.scrutinizer.ymlView file contents

pw/Piwik/plugins/LanguagesManager/Commands/CreatePull.php The file has been modified woensdag 31 mei 2017

Possible PHP injection (file download)

shell_exec('curlView file contents

pw/Piwik/libs/bower_components/materialize/.npmignore The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

Van: Lukas Winkler [mailto:notifications@github.com] Verzonden: woensdag 5 juli 2017 10:47 Aan: piwik/piwik piwik@noreply.github.com CC: GerardBol gerardbolhuis@gmail.com; Author author@noreply.github.com Onderwerp: Re: [piwik/piwik] mkdir ($dir,"777") (#11843)

I found two places where piwik does a chmod 777. All other chmod are using 755 or 600 https://github.com/piwik/piwik/blob/3.x-dev/core/Profiler.php#L324 https://github.com/piwik/piwik/blob/3.x-dev/core/Db/BatchInsert.php#L268

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/piwik/piwik/issues/11843#issuecomment-313041571 , or mute the thread https://github.com/notifications/unsubscribe-auth/AXHyASh-2N0AypofzZaZLBOWgWyFR0JQks5sK01ygaJpZM4ON_zO . https://github.com/notifications/beacon/AXHyAaTaYlJ5XAOArcALRfRsYteL-pAQks5sK01ygaJpZM4ON_zO.gif

Findus23 commented 7 years ago

Piwik/core/Updater/Migration/Db/Factory.php Possible PHP Injection - function name contains only numbers. _1(10)View file contents

I am not sure what your tester means, but I coudn't find a function which name only contains numbers in https://github.com/piwik/piwik/blob/3.x-dev/core/Updater/Migration/Db/Factory.php

pw/Piwik/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php pw/Piwik/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php pw/Piwik/vendor/pear/archive_tar/Archive/Tar.php pw/Piwik/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php pw/Piwik/vendor/twig/twig/lib/Twig/Cache/Filesystem.php pw/Piwik/vendor/twig/twig/.php_cs.dist pw/Piwik/vendor/piwik/decompress/libs/PclZip/pclzip.lib.php pw/Piwik/vendor/szymach/c-pchart/.scrutinizer.yml pw/Piwik/libs/bower_components/materialize/.npmignore

Those are third-party libraries which may or may not have good reasons for doing that. You'll need to contact them if you want to know why they are using 777.

pw/Piwik/plugins/LanguagesManager/Commands/CreatePull.php

This plugin uses shell_exec to create pull requests updating the language files (https://github.com/piwik/piwik/pull/11820) I doubt a piwik user will use this function.

mattab commented 4 years ago

Thanks for contributing to this issue. As it has been a few months since the last activity and we believe this is likely not an issue anymore, we will now close this. If that's not the case, please do feel free to either reopen this issue or open a new one. We will gladly take a look again!