Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow open redirect to known subdomain in Overlay #3689

Closed
mattab opened this issue Jan 18, 2013 · 1 comment
Closed

Disallow open redirect to known subdomain in Overlay #3689

mattab opened this issue Jan 18, 2013 · 1 comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.

Comments

@mattab
Copy link
Member

mattab commented Jan 18, 2013

From email report:

open redirect in piwik 1.10.1 to target subdomain for exaple

http://demo.piwik.org/index.php?module=Overlay&action=startOverlaySession&idsite=7#http://forum.piwik.org.google.com

and example as iframe

http://demo.piwik.org/index.php?module=Overlay&action=index&idSite=7&period=day&date=yesterday#l=http$3A$2F$2Fforum.piwik.org.google.com

need create subdomain with name "forum.piwik.org" (knownUrls)

Bug: error in string

if (urlToRedirectWithoutPrefix.substr(0, testUrl.length) == testUrl)

in module Overlay in function startOverlaySession

@mattab mattab added this to the Future releases milestone Jul 8, 2014
@mattab mattab removed the P: normal label Aug 3, 2014
@mattab mattab modified the milestones: Long term, Mid term Dec 23, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@Findus23
Copy link
Member

A quick check shows that the latest Matomo version does check if the requested URL is allowed.

@mattab mattab added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Jan 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Development

No branches or pull requests

2 participants