Piwik XSS #1269

Closed
mattab opened this Issue Apr 1, 2010 · 5 comments

2 participants

@mattab
Piwik Open Source Analytics member

I saw on twitter a Piwik XSS tweet pointing to http://packetstormsecurity.org/1003-exploits/piwik-xss.txt

we should fix it and check other variables to ensure there is no xss left.

I re-enabled the sensitive ticket plugin for this one, and set it to sensitive, which seems to work.

@robocoder

(In [2038]) refs #1269

@robocoder

(In [2039]) refs #1269

@robocoder

(In [2047]) refs #1269

@robocoder

While [fixed the issue (by validating/filtering/escaping form_url), 2047 is a better solution -- it eliminates form_url entirely as a parameter/hidden form field.

I've drafted a blog entry for the security advisory and will request a CVE later for the 0.6 release.

@mattab
Piwik Open Source Analytics member

I disabled the sensitivity plugin for now, also closing this.. please reopen if there is open issue.

@mattab mattab added this to the Piwik 0.6 milestone Jul 8, 2014
@robocoder robocoder was assigned by mattab Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment