Potential vulnerability in Piwik 2.15.0


#1

Hi,

I’m running Piwik 2.15.0. My web-hoster blocked my IP after I was using the website for the first time.

I contacted the web hoster and it turned out that the server found a potential URL vulnerability.

This is their response:


Our server administrator found: 

Pattern match on accessing the following URL:
/piwikdemo/index.php?date=2015-10-27&format=JSON2&idSite=1&limit=15&method=SitesManager.getPatternMatchSites&module=API&pattern=%25&period=day

The reason is because the highlighted characters become ‘%’ when URL decoded, which is a potential vulnerability, as it can be used for masking further URL encoded data.

Is this a known issue and can it be fixed?

Thanks,
Christopher


(Matthieu Aubry) #2

Hi there,

this is a bug in your host security protections. Please ask them to fix their protection or disable it for your account