Skip to content


How to make Piwik more block-resilient

Sometimes I like to be able to track stats of my things on sites that I don’t control. For instance (just as an illustration, I actually haven’t used eBay in ages), putting some Piwik tracking code on an eBay auction of mine. A site with good security will prevent you from adding JavaScript, so your tracking data will be limited, but they will usually allow you to insert external pictures. Sometimes with very strict checks (e.g. only picture extensions allowed), but more usually with no or few checks (like, any extension but .php/.asp). I recently had the case of a site that enforced a new policy to replace all “.php” by “.p”. That’s weird, but enough to be a minor PITA. Here is how to bypass such extension-based limitation.

The concept is simple:
1) turn an allowed extension into executed PHP
2) create a PHP file with said extension, and which will redirect traffic to the proper piwip.php file

To do this, you’ll need access to the HTTP server configuration files (probably you won’t be able to do that on shared hosting). Here I’ll show how it’s done with Apache.

Go to your Apache configuration files. For the sake of consistency (directives can be placed about anywhere, but better make it coherent), find the file linking PHP to .php extension (it contains SetHandler application/x-httpd-php). For me (Apache 2.2) it was /etc/apache2/mods-available/php5.conf. You’ll find something like:

    <FilesMatch "\.ph(p3?|tml)$">
	SetHandler application/x-httpd-php
    </FilesMatch>

After it, add the extension you want to support, for instance in my case I wanted to add .p, so it was like:

    <FilesMatch "\.p$">
	SetHandler application/x-httpd-php
    </FilesMatch>

NB: if the extension you want is already used, for instance if it’s a picture (like, .png), maybe you’ll have to remove a previous definition of .png. I didn’t check for that. You can always try without cleaning said used extension first, maybe it will work.

So, now the server will send .p files (or whatever extension you chose) to the php parser. Well, you’re almost done. All you need to do now is to create a redirecting php file, pointing to your piwik.php. Like:

<?php
header('Location: http://example.com/piwik.php?'.$_SERVER['QUERY_STRING']);
?>

As you can see, it can even redirect to another domain.

Better yet, if the service you are “targetting” also strips GET parameters, you can just add them here yourself, like:

<?php
header('Location: http://www.example.com/piwik.php?idsite=1&rec=1';
?>

Sounds quite unstoppable. Except with a most unlikely white-list.

Posted in web development.

Tagged with .


0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

Please solve the CAPTCHA below in order to fight spamWordPress CAPTCHA