When updating today, I realized that Piwik doesn't follow its own access rules when applying core updates. Anonymous internet users are able to begin the core update process once the initial step is triggered. Crucially, they are able to see not only the version in use but also the structure of the database and which SQL queries will be performed during the update.
For Piwik sites without a proxy server blocking off-site connections, this could be a critical vulnerability as it reveals a large amount of information about the database, extensions in use, and other software installed on the server. Through this, a malicious visitor would be much better prepared to attack the site.
OS: Ubuntu Trusty 14.04 x64
Version: upgraded from version 2.16.2 to the new version 3.0.4.
Bug posted here after conversation with security@ (enclosed as they provide a workaround):
That's true and this could be an issue.
1) Would you please create an issue in our tracker here: https://github.com/piwik/piwik/issues
2) As a workaround, we recommend to put Piwik into maintenance mode, and then run the upgrade via the console: https://piwik.org/docs/update/#database-upgrade-for-high-traffic-piwik-servers
Thanks for your report,
Piwik Security team