Security Issues on Matomo Application

Support & Bugs
1

Hi,
My Matomo has been successfully installed on my local server, but when I want to get my IP Public, my network administrator had a penetration test to the system and the vulnerabilities results are as shown:

  1. 11213 - HTTP TRACE / TRACK Methods Allowed
    Synopsis
    Debugging functions are enabled on the remote web server.
    Description
    The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

  2. 40984 - Browsable Web Directories
    Synopsis
    Some directories on the remote web server are browsable.
    Description
    Multiple Nessus plugins identified directories on the web server that are browsable.

  3. 93112 - OpenSSL < 1.1.0 Default Weak 64-bit Block Cipher (SWEET32)
    Synopsis
    The service running on the remote host uses a weak encryption block cipher by default.
    Description
    According to its banner, the version of OpenSSL running on the remote host is prior to 1.1.0. It is, therefore, affected by a vulnerability, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a ‘birthday’ attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session.

  4. 26194 - Web Server Transmits Cleartext Credentials
    Synopsis
    The remote web server might transmit credentials in cleartext.
    Description
    The remote web server contains several HTML form fields containing an input of type ‘password’ which transmit their information to a remote web server in cleartext.
    An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

  5. 34850 - Web Server Uses Basic Authentication Without HTTPS
    Synopsis
    The remote web server seems to transmit credentials in cleartext.
    Description
    The remote web server contains web pages that are protected by 'Basic’
    authentication over cleartext.
    An attacker eavesdropping the traffic might obtain logins and passwords of valid users.

My question is, how can I close those security holes or you guys here can give any advises or solutions to these issues?

Looking forward for y’all responses.

Best regards,

2

Hi, some feedback for you:

  1. Not related to Matomo. (Disable Track and Trace in apache - Stack Overflow)
  2. Not related to Matomo. (apache - How do I disable directory browsing? - Stack Overflow)
  3. Not related to Matomo. (SWEET32 Birthday attack : How to fix TLS vulnerability (CVE-2016-2183) in OpenSSL, Apache, Nginx and IIS in RedHat, CentOS, Ubuntu, Debian, OpenSUSE and Windows - Bobcares)
  4. Not relevant if SSL is used.
  5. Not related to Matomo. (Matomo should always be run over HTTPS)

All of these can be fixxed if you harden your locally set up webserver.

2 Likes