Reference: CVE-2009-1085 dated 03/25/2009
Contrary to the advisory, the Matomo (Piwik) project did not “confirm” this “vulnerability”. We have classified this issue as user error. The subject file, “misc/cron/archive.sh”, was intended to be a sample shell script. By default, archiving is an internal Matomo process, and an external “archive.sh” file is not required nor used in most installations. Users who required the cron-based archiving were expected to copy the file to a secure location and configure it to their environment, since the sample file is always overwritten by the software update process.
The only way to expose the API key in “archive.sh” would be for a user to manually edit this file in-situ. Matomo does not “store” the API key in “archive.sh” as alleged in the advisory — not through the installer, not through the admin panel. Matomo never configures this file with the superuser’s API key. To reiterate, Matomo never modifies this file.
Starting with Matomo version 0.2.33 (released Apr 7, 2009), “archive.sh” is production-ready and will programmatically fetch the API key from the user’s (private) configuration file.
Matomo users who have configured “archive.sh” (up to and including Matomo version 0.2.32) are advised to update to the latest version of Matomo, or restrict access to this script by either “.htaccess” or moving the script outside the web document root.
