Do I get informed if php change the piwick.js?


(hamburger) #1

Hi there,
I just installed Piwick. There I get a notice that I have to change the rights of piwick.js because it will change by programm. I would like to get a information when it is done. is there one?


(Fabian Dellwing) #2

There is no such notification.

The piwik.js can get modified mainly by Plugins that you install.


(hamburger) #3

Is’nt it dangerous when plugins can manipulate my .js file. I think its better to have a switch. Otherwise I have to control all plugins for maldicous code.


(Fabian Dellwing) #4

@Lukas Please say something about this. I don’t have enough insight for this.


(Peterbo) #5

If you install 3rd party plugins with malicious code, your js file is only one of your many problems then (though until now, I didn’t see a malicious plugin yet). Disable the plugin CustomPiwikJs if you don’t want plugins to change the tracker JS. But then, features like heatmap (or any other plugin that needs to insert custom code to the js file) will not be available.


(Lukas Winkler) #6

Hi,

As @peterbo mentioned, there are far more things a malicious plugin could do.

The piwik.js should only change when a plugin updates or is (de)activated or when Matomo is upgraded.


(hamburger) #7

have a look here:
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5


(Fabian Dellwing) #8

This article is like 5 years old and I already read it a long time ago.


(Lukas Winkler) #9

That’s why you don’t use any third parties you don’t have controll over and instead just Open Source software and software you trust on your own server.


(Peterbo) #10

A possibly misused feature is not a security risk per se (then all OSes would be). General security concepts apply to this situation as well: If you have superuser permission to any part of your infrastructure, better know what you’re doing. Part of this is not installing plugins from 3rd party. If you use anything which is not possibly monitored for security (e.g. the core plugins are), have a malware monitoring for your pages at any time. If you are tracking critical infrastructure, apply common sense and a security workflow to your setup decisions.