Security Issue - Site Wide Open


(Simon Griffiths) #1

Hi Guys,

I have been using Piwik for a while with no problems. I was getting some access issues on one site after the update to Matomo, so I have just been trying to sort this out. I am currently running 3.5.1 self hosted.

What I noticed was that previously I had to login to analytics with my username and password, but now it is wide open an on the public internet. To make things worse the url is in the tracking code, so basically anyone could easily look at the site analytics.

Any ideas what is happening and why I am seeing this. I can get to the site from browsers and devices that have previously not accessed the site, so it’s not a cache issue.

Cheers
Simon


(Roddy A. Stegemann) #2

In the spirit of anything is better than nothing. Does an .htaccess file appear in your config folder? If so, what is inside? If not, maybe you should consider installing one.

Roddy


(Simon Griffiths) #3

No .htaccess because this is in a folder of a parent domain. I can install one, but surely some security should be there as a default.


(Lukas Winkler) #4

Hi,

Can you login and go to the “System” -> “Users” Setting? There you select the website that is pubically viewable and select “No access” for the anonymous user.


(Roddy A. Stegemann) #5

I understand, but it is the config folder that contains all of your Matomo access information. Might it be that Lukas’ suggestion will install one for you? After you have taken his suggestion, open the config folder and see, if an .htaccess folder does not appear.

In my own experimentation I have discovered that the .htaccess file in my config folder controls my ability to access the Matomo application directly with PHP. I am now looking for a way that will maintain security and still allow only me access.

I do not like the idea of allowing anonymous access. I am online to server my guests, not allow myself to be raped by my competition.

Roddy


(Simon Griffiths) #6

Hi and thanks,
This one fixed it nicely. I must admit that I am worried how it opened up in the first place, but at least it’s fixed now.
Cheers
Simon