Piwik.js of Piwik 1.2 seems to load endlessly when behind certain firewalls


#1

Hello,

There’s something in piwik.js in version 1.2 that triggers a false positive for a certain type of Mozilla Regex Exploit in Snort configurations for Astaro firewall/VPN appliances. For the user it looks like the request to piwik.js is running forever, i.e. the reply is never coming back. The reply is in fact being dropped by Snort (IDS/IPS). You’ll find a message like this in the logs:

2011:03:16-17:19:38 vpn snort[18199]: id=“2101” severity=“warn” sys=“SecureNet” sub=“ips” name=“Intrusion protection alert” action=“drop” reason=“WEB-CLIENT Mozilla regular expression heap corruption attempt” group=“320” srcip="[server-ip]" dstip="[client-ip]" proto=“6” srcport=“80” dstport=“50895” sid=“8443” class=“Attempted User Privilege Gain” priority=“1” generator=“1” msgid=“0”

This seems to be triggered by the following Snort IPS rule: http://www.snort.org/search/sid/8443?r=1

Unfortunately the same rule is known to often cause false positives like in this case. There are two possible workarounds and one possible fix:

Workaround 1: Exclude the Piwik server’s IP address from checks in Snort/Astaro
Workaround 2: Disable the rule in the Snort signatures competely (don’t know if that’s actually an option, I’m no Astaro admin) - the fix is for a vulnerability in Mozilla type browsers that has been reported some four years ago. Being the good admin you are you have by now made sure that none of your users is still using crap that old, right?

Fix: Find the section in piwik.js that’s triggering the rule and try to write it in a way that doesn’t get blocked.

Kind regards

Markus


(Matthieu Aubry) #2

Thanks Markus for your feedback and solution on how to fix the issue. Lame that the error message doesn’t tell us more about what is so wrong about our harmless request :slight_smile:


(Peterbo) #3

I requested help on this at snort.org. Perhaps, somebody there will take care about this and help us out. :wink:

Peter


#4

Hy all,

same Problem with a client of mine. They send me a Link to an Bog-Report from snort.org

http://www.snort.org/search/sid/8443?r=1

best regards


(vipsoft) #5

The bug in the Snort Rule is that it doesn’t check for the closing ‘]’ in the regex.

I’ll commit a workaround in the meantime.