Piwik XSS #1269

mattab · 2010-04-01T10:29:01Z

I saw on twitter a Piwik XSS tweet pointing to http://packetstormsecurity.org/1003-exploits/piwik-xss.txt

we should fix it and check other variables to ensure there is no xss left.

I re-enabled the sensitive ticket plugin for this one, and set it to sensitive, which seems to work.

robocoder · 2010-04-02T03:26:03Z

(In [2038]) refs #1269

robocoder · 2010-04-02T06:37:47Z

(In [2039]) refs #1269

robocoder · 2010-04-02T22:03:11Z

(In [2047]) refs #1269

robocoder · 2010-04-02T22:10:57Z

While [fixed the issue (by validating/filtering/escaping form_url), 2047 is a better solution -- it eliminates form_url entirely as a parameter/hidden form field.

I've drafted a blog entry for the security advisory and will request a CVE later for the 0.6 release.

mattab · 2010-04-24T20:49:56Z

I disabled the sensitivity plugin for now, also closing this.. please reopen if there is open issue.

mattab added this to the Piwik 0.6 milestone Jul 8, 2014

mattab added T: Bug labels Jul 8, 2014

mattab assigned robocoder Jul 8, 2014

This issue was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Piwik XSS #1269

Piwik XSS #1269

mattab commented Apr 1, 2010

robocoder commented Apr 2, 2010

robocoder commented Apr 2, 2010

robocoder commented Apr 2, 2010

robocoder commented Apr 2, 2010

mattab commented Apr 24, 2010

Piwik XSS #1269

Piwik XSS #1269

Comments

mattab commented Apr 1, 2010

robocoder commented Apr 2, 2010

robocoder commented Apr 2, 2010

robocoder commented Apr 2, 2010

robocoder commented Apr 2, 2010

mattab commented Apr 24, 2010