@anonymous-piwik-user opened this Issue on March 28th 2009

Anonymous users can still access the site management section of Piwik even when they have been restricted with 'No Access'

Calling the URL's;

/index.php?module=SitesManager&action=displayJavascriptCode&idsite=1

/index.php?module=SitesManager&action=index&idsite=1

/index.php?module=Feedback&action=index&idsite=1&keepThis=true&TB_iframe=true&height=400&width=350

Will all display results with out authentication.

Other pages maybe affected, but these are the ones I know of.

The data exposed isn't critical but still poses a minor security issue.

@robocoder commented on March 28th 2009 Contributor

The tracker code is public information.

The site manager page may be accessible, but it doesn't display any site information to which the anonymous user has 'no access'. I suppose we could restrict access to even this page.

The feedback module is for the public to submit feedback. If you read the plugin description from the plugin admin screen, it reads:

Send your Feedback to the Piwik Team in one click. Share your ideas and suggestions with us!  By Piwik.

You're welcome to deactivate this plugin.

@robocoder commented on March 28th 2009 Contributor

Oops. Given ticket #554, we won't be blocking access to the site manager page.

This Issue was closed on March 28th 2009
Powered by GitHub Issue Mirror