@SR-mkuhn opened this Issue on July 2nd 2015

via http://forum.piwik.org/read.php?2,127703

There seems to happen array to string conversions in 3 places in Piwik 2.14.0:

WARNING: /srv/www/htdocs/piwik/core/Plugin/Report.php(799): Warning - ucfirst() expects parameter 1 to be string, array given - Piwik 2.14.0

public static function factory($module, $action):
...
  $api = $module . '.' . ucfirst($action);
...

WARNING: /srv/www/htdocs/piwik/core/Http/ControllerResolver.php(63): Notice - Array to string conversion - Piwik 2.14.0

public function getController($module, $action, array &$parameters):
...
   throw new Exception(sprintf("Action '%s' not found in the module '%s'", $action, $module));
...

WARNING: /srv/www/htdocs/piwik/core/Http/ControllerResolver.php(132): Warning - substr() expects parameter 1 to be string, array given - Piwik 2.14.0

in private function isReportMenuAction($action):
...
   $startsWithMenu = (Report::PREFIX_ACTION_IN_MENU === substr($action, 0, strlen(Report::PREFIX_ACTION_IN_MENU)));
...

Greetings
mkuhn

@tsteur commented on July 2nd 2015 Owner

When does it happen? Can you let us know the steps to reproduce? Maybe you have a URL? Feel free to remove the domain of the URL and possible token_auth parameters

@SR-mkuhn commented on July 3rd 2015

This happend during a penetration test via acunetix.

http://example.com/piwik/index.php?action[$acunetix]=1&form_login=erssdkay&form_nonce=dxxxxxxxxxxxxxxxxxxxxxxxxxxxd&form_password=g00dPa%24%24w0rD&form_password_bis=g00dPa%24%24w0rD&module=Login

This is from the data-field in the piwik-session table (database session handling is activated):
https://gist.github.com/SR-mkuhn/62934559874a8f2fddcc

As those errors pile up in this field, an attacker can fill a database easily.

@mattab commented on July 15th 2015 Owner

Hi @SR-mkuhn
The payload is kinda designed to trigger warning and notices (ie. passing arrays instead of strings) so I don't think we need to fix these.

@SR-mkuhn commented on July 16th 2015

But wouldn't it be a security improvement to have a preliminary test if your inputs (and types) are sane?

This Issue was closed on July 15th 2015
Powered by GitHub Issue Mirror