@GerardBol opened this Issue on July 5th 2017

I use rsfirewall in my joomla site

this rsfirewall detects mkdir($dir,"777") in the source of piwik. Why 777 and set all access open?

@Findus23 commented on July 5th 2017 Member

Do you know which file rsfirewall is complaining about? Most reference to 777 I found are in the tests, which shouldn't influence piwik users (as the tests/ directory isn't included in the piwik zip)

@Findus23 commented on July 5th 2017 Member
@GerardBol commented on July 5th 2017

pw/Piwik/core/Updater/Migration/Db/Factory.php
The file has been modified woensdag 31 mei 2017

Possible PHP Injection - function name contains only numbers.

_1(10)View file contents

pw/Piwik/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($path, 0777View file contents

pw/Piwik/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php
The file has been modified dinsdag 15 november 2016

Unsafe directory creation - 0777 permissions.

mkdir($cacheDir, 0777View file contents

pw/Piwik/vendor/pear/archive_tar/Archive/Tar.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($v_header['filename'], 0777View file contents

pw/Piwik/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($dir, 0777View file contents

pw/Piwik/vendor/twig/twig/lib/Twig/Cache/Filesystem.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($dir, 0777View file contents

pw/Piwik/vendor/twig/twig/.php_cs.dist
The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

.php_cs.distView file contents

pw/Piwik/vendor/piwik/decompress/libs/PclZip/pclzip.lib.php
The file has been modified woensdag 31 mei 2017

Unsafe directory creation - 0777 permissions.

mkdir($p_dir, 0777View file contents

pw/Piwik/vendor/szymach/c-pchart/.scrutinizer.yml
The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

.scrutinizer.ymlView file contents

pw/Piwik/plugins/LanguagesManager/Commands/CreatePull.php
The file has been modified woensdag 31 mei 2017

Possible PHP injection (file download)

shell_exec('curlView file contents

pw/Piwik/libs/bower_components/materialize/.npmignore
The file has been modified woensdag 31 mei 2017

Suspicious filename found. Files with a dot in front of them are usually hidden by the operating system.

Van: Lukas Winkler [mailto:notifications@github.com]
Verzonden: woensdag 5 juli 2017 10:47
Aan: piwik/piwik <piwik@noreply.github.com>
CC: GerardBol <gerardbolhuis@gmail.com>; Author <author@noreply.github.com>
Onderwerp: Re: [piwik/piwik] mkdir ($dir,"777") (#11843)

I found two places where piwik does a chmod 777. All other chmod are using 755 or 600
https://github.com/piwik/piwik/blob/3.x-dev/core/Profiler.php#L324
https://github.com/piwik/piwik/blob/3.x-dev/core/Db/BatchInsert.php#L268


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/piwik/piwik/issues/11843#issuecomment-313041571 , or mute the thread https://github.com/notifications/unsubscribe-auth/AXHyASh-2N0AypofzZaZLBOWgWyFR0JQks5sK01ygaJpZM4ON_zO . https://github.com/notifications/beacon/AXHyAaTaYlJ5XAOArcALRfRsYteL-pAQks5sK01ygaJpZM4ON_zO.gif

@Findus23 commented on July 5th 2017 Member

Piwik/core/Updater/Migration/Db/Factory.php
Possible PHP Injection - function name contains only numbers.
_1(10)View file contents

I am not sure what your tester means, but I coudn't find a function which name only contains numbers in https://github.com/piwik/piwik/blob/3.x-dev/core/Updater/Migration/Db/Factory.php

pw/Piwik/vendor/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php
pw/Piwik/vendor/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php
pw/Piwik/vendor/pear/archive_tar/Archive/Tar.php
pw/Piwik/vendor/monolog/monolog/src/Monolog/Handler/StreamHandler.php
pw/Piwik/vendor/twig/twig/lib/Twig/Cache/Filesystem.php
pw/Piwik/vendor/twig/twig/.php_cs.dist
pw/Piwik/vendor/piwik/decompress/libs/PclZip/pclzip.lib.php
pw/Piwik/vendor/szymach/c-pchart/.scrutinizer.yml
pw/Piwik/libs/bower_components/materialize/.npmignore

Those are third-party libraries which may or may not have good reasons for doing that. You'll need to contact them if you want to know why they are using 777.

pw/Piwik/plugins/LanguagesManager/Commands/CreatePull.php

This plugin uses shell_exec to create pull requests updating the language files (https://github.com/piwik/piwik/pull/11820)
I doubt a piwik user will use this function.

Powered by GitHub Issue Mirror