New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent content spoofing: display error if the URL is not valid #8693

Closed
mattab opened this Issue Sep 2, 2015 · 2 comments

Comments

Projects
None yet
3 participants
@mattab
Member

mattab commented Sep 2, 2015

It is possible to display custom text content on any Piwik instance as follows:

spoofing

Reported to security team:

http://demo.piwik.org is vulnerable to
Content spoofing and exploitable to all users.

*Description:-* Content Spoofing An attack technique used to trick a
user into thinking that fake web site content is legitimate data and
is an attack targeting a user made possible by an injection
vulnerability in a web application. When an application does not
properly handle user supplied data, an attacker can supply content
to a web application, typically via a parameter value, that is
reflected back to the user.

Vulnerable URL- 

http://demo.piwik.org/index.php?module=Proxy&action=redirect&url=
(Text Here)

I wanted to publicly acknowledge this limited security issue - maybe you have a suggestion on how this should be fixed, or whether we should fix it at all?

@mattab mattab added the c: Security label Sep 2, 2015

@haseebeqx

This comment has been minimized.

Show comment
Hide comment
@haseebeqx

haseebeqx Sep 6, 2015

Contributor

its not a security issue. it is a bug in the code
simple code rearrange will fix this issue. created a pull request #8719
which will fix this

Contributor

haseebeqx commented Sep 6, 2015

its not a security issue. it is a bug in the code
simple code rearrange will fix this issue. created a pull request #8719
which will fix this

@sgiehl sgiehl added this to the 2.15.0 milestone Sep 6, 2015

@sgiehl

This comment has been minimized.

Show comment
Hide comment
@sgiehl

sgiehl Sep 6, 2015

Member

fixed with #8719

Member

sgiehl commented Sep 6, 2015

fixed with #8719

@sgiehl sgiehl closed this Sep 6, 2015

@mattab mattab changed the title from Content spoofing to Prevent content spoofing: display error if the URL is not valid Oct 13, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment