Closed hoyin2013 closed 1 year ago
I am not really sure this is a valid report for this project. From what I can see, this report is about how you host Matomo, and all these things could be configured. And how you host this code is up to you. And some parts of the report is not valid at all (autocomplete field for user login? SSL/TLS Certificate Common Name Mismatch?)
hello, all these issues reported by security software. Some meta tags such as http equiv='Content Security Policy 'have been mentioned. Should these tags be added to the header section of certain pages, such as the homepage of a website
Hello @hoyin2013,
I would agree with @mikkeschiren that this doesn't really sound like a security issue with Matomo itself. From your report it's not very clear on what domain/against what installation did you run the tests, what was tested and what software was used so that we could validate the findings etc.
If you believe there's a genuine security issue with Matomo, please follow the process described on the Security page.
Hi @hoyin2013, thanks for the feedback.
Could you share the name of the security software producing this list?
Was it run against a website that includes Matomo tracking or against a clean Matomo installation?
Many of the raised issues are generic best practice statements which don't provide enough information for us to verify or are not applicable to Matomo (e.g. Credit Card Number Disclosure), others are specific to the way Matomo is hosted and beyond the scope of the application itself.
We take security very seriously and run a bug bounty program and participate in a hackerone security program.
Hi,team,we found some security issues via security software as the follow.hope can fix it on next version.thx.
autocomplete
within the HTML form to improve the usability of the page. Withautocomplete
enabled (default), the browser is allowed to cache previously entered form values.For legitimate purposes, this allows the user to quickly re-enter the same data when completing the form multiple times.Whenautocomplete
is enabled on either/both the username and password fields, this could allow a cyber-criminal with access to the victim's computer the ability to have the victim's credentials automatically entered as the cyber-criminal visits the affected page.Scanner has discovered that the affected page contains a form containing a password field that has not disabledautocomplete
.autocomplete
value can be configured in two different locations.The first and most secure location is to disable theautocomplete
attribute on the<form>
HTML tag. This will disableautocomplete
for all inputs within that form. An example of disablingautocomplete
within the form tag is<form autocomplete=off>
.The second slightly less desirable option is to disable theautocomplete
attribute for a specific<input>
HTML tag. While this may be the less desired solution from a security perspective, it may be preferred method for usability reasons, depending on size of the form. An example of disabling theautocomplete
attribute within a password input tag is<input type=password autocomplete=off>
.autocomplete
within the HTML form to improve the usability of the page. Withautocomplete
enabled (default), the browser is allowed to cache previously entered form values.For legitimate purposes, this allows the user to quickly re-enter the same data when completing the form multiple times.Whenautocomplete
is enabled on either/both the username and password fields, this could allow a cyber-criminal with access to the victim's computer the ability to have the victim's credentials automatically entered as the cyber-criminal visits the affected page.Scanner has discovered that the affected page contains a form containing a password field that has not disabledautocomplete
.autocomplete
value can be configured in two different locations.The first and most secure location is to disable theautocomplete
attribute on the<form>
HTML tag. This will disableautocomplete
for all inputs within that form. An example of disablingautocomplete
within the form tag is<form autocomplete=off>
.The second slightly less desirable option is to disable theautocomplete
attribute for a specific<input>
HTML tag. While this may be the less desired solution from a security perspective, it may be preferred method for usability reasons, depending on size of the form. An example of disabling theautocomplete
attribute within a password input tag is<input type=password autocomplete=off>
.Strict-Transport-Security
header be configured on the server.One of the options for this header ismax-age
, which is a representation (in milliseconds) determining the time in which the client's browser will adhere to the header policy.Depending on the environment and the application this time period could be from as low as minutes to as long as days.autocomplete
within the HTML form to improve the usability of the page. Withautocomplete
enabled (default), the browser is allowed to cache previously entered form values.For legitimate purposes, this allows the user to quickly re-enter the same data when completing the form multiple times.Whenautocomplete
is enabled on either/both the username and password fields, this could allow a cyber-criminal with access to the victim's computer the ability to have the victim's credentials automatically entered as the cyber-criminal visits the affected page.Scanner has discovered that the affected page contains a form containing a password field that has not disabledautocomplete
.autocomplete
value can be configured in two different locations.The first and most secure location is to disable theautocomplete
attribute on the<form>
HTML tag. This will disableautocomplete
for all inputs within that form. An example of disablingautocomplete
within the form tag is<form autocomplete=off>
.The second slightly less desirable option is to disable theautocomplete
attribute for a specific<input>
HTML tag. While this may be the less desired solution from a security perspective, it may be preferred method for usability reasons, depending on size of the form. An example of disabling theautocomplete
attribute within a password input tag is<input type=password autocomplete=off>
.