You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
BugFor errors / faults / flaws / inconsistencies etc.duplicateFor issues that already existed in our issue tracker and were reported previously.MajorIndicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Viewing Actions > Pages should bring up a list of pages visitors to my site have looked at. All of those Pages should link only to sites I have specified within my domain settings in Piwik.
Actual Behavior
Links to outside domains do show up, and appear malicious. (And these links appear under "Pages", not "Exit Pages", even though no such page exists on my domain.)
For example, a "page" called "browse.php" shows up in my Page analytics, but the link doesn't point to any of my domains - it points to either an IP address or a site like "zooworldgameguide.com".
Steps to Reproduce
My webserver logs show a line like this is probably what injected the link to a rogue website. (Parts specific to my website removed.)
It appears to be calling piwik.php but customizing the parameters for its own means.
(cut into multiple lines for readability - was one long line in web server logs)
[source IP here] - - [08/May/2011:00:31:17 -0700]
"GET /stats/piwik.php?action_name=[my site name stripped]
&idsite=1&rec=1&rand=0.7976603401009384&h=9&m=31&s=19
&url=http%3A%2F%2Fzooworldgameguide.com%2Fbrowse.php%3F[params stripped]
&urlref=http%3A%2F%2Fzooworldgameguide.com[referer params stripped]
&_idvc=1&_idn=1&_rcn=&_rck=&_refts=0&_viewts=1304839880&_ref=&pdf=1&qt=1
&realp=0&wma=1&dir=0&fla=1&java=1&gears=0&ag=1&res=1680x1050&cookie=1 HTTP/1.1"
200 54 "[referer stripped - was my domain]"
"Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" "-"
Keywords: security
The text was updated successfully, but these errors were encountered:
BugFor errors / faults / flaws / inconsistencies etc.duplicateFor issues that already existed in our issue tracker and were reported previously.MajorIndicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Expected Behavior
Viewing Actions > Pages should bring up a list of pages visitors to my site have looked at. All of those Pages should link only to sites I have specified within my domain settings in Piwik.
Actual Behavior
Links to outside domains do show up, and appear malicious. (And these links appear under "Pages", not "Exit Pages", even though no such page exists on my domain.)
For example, a "page" called "browse.php" shows up in my Page analytics, but the link doesn't point to any of my domains - it points to either an IP address or a site like "zooworldgameguide.com".
Steps to Reproduce
My webserver logs show a line like this is probably what injected the link to a rogue website. (Parts specific to my website removed.)
It appears to be calling piwik.php but customizing the parameters for its own means.
(cut into multiple lines for readability - was one long line in web server logs)
Keywords: security
The text was updated successfully, but these errors were encountered: