Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Piwik XSS #1269

Closed
mattab opened this Issue · 5 comments

2 participants

Matthieu Aubry Anthon Pang
Matthieu Aubry
Owner

I saw on twitter a Piwik XSS tweet pointing to http://packetstormsecurity.org/1003-exploits/piwik-xss.txt

we should fix it and check other variables to ensure there is no xss left.

I re-enabled the sensitive ticket plugin for this one, and set it to sensitive, which seems to work.

Anthon Pang
Collaborator

(In [2038]) refs #1269

Anthon Pang
Collaborator

(In [2039]) refs #1269

Anthon Pang
Collaborator

(In [2047]) refs #1269

Anthon Pang
Collaborator

While [fixed the issue (by validating/filtering/escaping form_url), 2047 is a better solution -- it eliminates form_url entirely as a parameter/hidden form field.

I've drafted a blog entry for the security advisory and will request a CVE later for the 0.6 release.

Matthieu Aubry
Owner

I disabled the sensitivity plugin for now, also closing this.. please reopen if there is open issue.

Matthieu Aubry mattab added this to the Piwik 0.6 milestone
Anthon Pang robocoder was assigned by mattab
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.