Sites using the APS package of Matomo (Piwik) 0.5.4 (which we are referring to as, “Matomo Remix by Parallels”, per our trademark policy) may be vulnerable to a shared salt value which may allow an attacker to spoof trusted cookies or nonces.
This is a third-party issue, specific to this APS package. The vendor
has ceased maintenance of the package and did not respond to inquiries re: a coordinated disclosure.
Update: If you prefer to use the remix by Parallels, the APS package was updated to include Matomo 1.0 on September 1st.
The Matomo 0.5.4 remix by Parallels (version 0.5.4-6) bundles a SaaS Application Packaging Standard installer with Matomo 0.5.4. As of today, this package continues to be distributed via the APSstandard.org Application Catalog. The remix contains an installation script which bypasses the normal Matomo installer, and uses a template called “config.ini.php.in” that contains a hard-coded salt value.
salt = "cbdcd503704b27d3a5d51a0c866d8289"
As a result, all sites that install the remix share a common salt value. This salt value is normally secret and pseudo-randomly generated for each installation. In Matomo, the secret salt is used in signing cookies and nonces.
This vulnerability was discovered by the Matomo team and is ranked as low severity.
The Matomo team strongly urges that users of the APS package take the following steps:
- Manually edit config/config.ini.php, changing the salt value to a random string of characters (of the same length).
- Download the latest Matomo release from an official distribution channel, and extract the files, overwriting your existing installation. Browsing to the dashboard should then trigger a database update.
Report security vulnerabilities or concerns to firstname.lastname@example.org.