You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Recently I have been looking into the security implications of automatically upgrading Piwik and whilst the Piwik Core is verified using a GPG key, the plugins get no such verification. As a result, an malicious party gaining access to the plugin server could replace latest plugin versions with malicious version with no verification.
The inclusions of libsodium in PHP 7.2 makes this easier. And there are pure-PHP libraries that are supported back to PHP 5. A similar issue was raised for WordPress, however it was postponed due to other priorities.
My understanding is that Piwik already implements auto-updates for it's plugins and as such any attack on the Piwik plugin infrastructure could potentially expose a large number of systems to malicious code.
There is a respectable guide(also linked in that WordPress issue) here on implementing upgrades for PHP.
The text was updated successfully, but these errors were encountered:
Thanks for the suggestion. Yes, it would be great to implement the code signing verification mechanism when downloading plugins from the Marketplace. And we also should implement this code signing mechanism when downloading the Piwik core platform via the auto-update mechanism.
Note: currently, the code signing is not checked, we only download the upgrade over HTTPS. Code signing procedure has to be done manually by the users who know about it. We would like to implement this as part of #7328
We also should surface the manual code signing instructions better, see #10687
mattab
added
the
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
label
Aug 2, 2017
Recently I have been looking into the security implications of automatically upgrading Piwik and whilst the Piwik Core is verified using a GPG key, the plugins get no such verification. As a result, an malicious party gaining access to the plugin server could replace latest plugin versions with malicious version with no verification.
The inclusions of libsodium in PHP 7.2 makes this easier. And there are pure-PHP libraries that are supported back to PHP 5. A similar issue was raised for WordPress, however it was postponed due to other priorities.
My understanding is that Piwik already implements auto-updates for it's plugins and as such any attack on the Piwik plugin infrastructure could potentially expose a large number of systems to malicious code.
There is a respectable guide(also linked in that WordPress issue) here on implementing upgrades for PHP.
The text was updated successfully, but these errors were encountered: