Vulnerabilities found by our security team

jagankataru · February 14, 2022, 11:05am

Hello Team,
Our internal scurty team found a vulnerabilities in our motomo version 3.14.1
How do we make sure that our motomo application is not impacted?

The product does not use a protection mechanism that provides sufficient defense against directed attacks against the product. Specifically, the site does not take appropriate measures to protect against UI redressing attacks (Clickjacking). It is possible to overlay the target page inside an IFRAME from an attacker’‘s controlled web site. By doing so, they can attempt to trick a user into executing an unwarranted action without the user’‘s knowledge or consent. More information on Clickjacking can be found on OWASP’'s website: https://www.owasp.org/index.php/Clickjacking.

To protect against Clickjacking, it is recommended that any page that contains forms which require a user to enter sensitive information use the X-Frame-Options header set to either DENY or SAMEORIGIN. More information on security headers can be found on Veracode’'s website: https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/#xfo.

Best Regards,
Jagan.

Lukas · February 14, 2022, 11:26am

Hi,

The best way to make sure your Matomo instance is secure is to use the latest version that still recieves security updates (so 4.7.1 at the moment).

Also I am not sure what exactly your security tool is reporting as Matomo sets a X-Frame-Options header to sameorigin unless you changed the settings as seen in https://matomo.org/faq/troubleshooting/faq_147/

jagankataru · February 14, 2022, 1:13pm

Hi Lukas Winkler,
Thank you for your response.
Yes we have not added in parameters mentioned in the link: https://matomo.org/faq/troubleshooting/faq_147/ from config/config.ini.php

So you mean that if are not adding the parameters in config/config.ini.php then application is not impacted with any security vulnerability, am i correct?

Best Regards,
Jagan.