Opened 15 months ago

Closed 15 months ago

Last modified 15 months ago

#3733 closed Bug (fixed)

User change language should check for token (reported by Merlin Mayr)

Reported by: matt Owned by: halfdan
Priority: normal Milestone: 1.11 - Piwik 1.11
Component: Core Keywords:
Cc: Sensitive: no

Description (last modified by halfdan)

Reported by email

I recently discovered an Cross Site Request Forgery-Flaw in the source code of the Piwik Code (Version 1.10.1). The flaw is located in the LanguagesManager-Plugin, here is the vulnerable part of code (Controller.php): public function saveLanguage()
The function does not check if the logged in user really wanted to change the language, there is no CSRF-Protection. It is possible to change the actual language, without having access to the Dashboard of Piwik, this could result in confused users, some users may think they got hacked and somebody else changed the current language.

we should add token_auth check to avoid CSRF on this.

Change History (5)

comment:1 Changed 15 months ago by halfdan

  • Owner set to halfdan
  • Status changed from new to assigned

comment:2 Changed 15 months ago by halfdan

  • Description modified (diff)

comment:3 Changed 15 months ago by Fabian Becker

  • Resolution set to fixed
  • Status changed from assigned to closed

In c2f670c4a59aa1c4142174365e076ee69a88d105:

Fixes possible minor CSRF that potentially allowed attackers to
change a users language.

fixes #3733

comment:4 Changed 15 months ago by matt (mattab)

  • Summary changed from User change language should check for token to User change language should check for token (reported by Merlin Mayr)

comment:5 Changed 15 months ago by matt (mattab)

In c8f11dd2631e5f0201f80f0aa8808486d8f593bd:

Refs #3733 Installer was broken because there is not yet a token_auth during installer, disabling csrf protectionif piwik is not installed

Note: See TracTickets for help on using tickets.