Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User change language should check for token (reported by Merlin Mayr) #3733

Closed
mattab opened this issue Feb 5, 2013 · 2 comments
Closed
Assignees
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Feb 5, 2013

Reported by email

I recently discovered an Cross Site Request Forgery-Flaw in the source code of the Piwik Code (Version 1.10.1). The flaw is located in the LanguagesManager-Plugin, here is the vulnerable part of code (Controller.php): public function saveLanguage()
The function does not check if the logged in user really wanted to change the language, there is no CSRF-Protection. It is possible to change the actual language, without having access to the Dashboard of Piwik, this could result in confused users, some users may think they got hacked and somebody else changed the current language.

we should add token_auth check to avoid CSRF on this.

@anonymous-matomo-user
Copy link

In c2f670c: Fixes possible minor CSRF that potentially allowed attackers to
change a users language.

fixes #3733

@mattab
Copy link
Member Author

mattab commented Feb 7, 2013

In c8f11dd: Refs #3733 Installer was broken because there is not yet a token_auth during installer, disabling csrf protectionif piwik is not installed

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Development

No branches or pull requests

3 participants