Disallow open redirect to known subdomain in Overlay #3689
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
not-in-changelog
For issues or pull requests that should not be included in our release changelog on matomo.org.
Task
Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
From email report:
open redirect in piwik 1.10.1 to target subdomain for exaple
http://demo.piwik.org/index.php?module=Overlay&action=startOverlaySession&idsite=7#http://forum.piwik.org.google.com
and example as iframe
http://demo.piwik.org/index.php?module=Overlay&action=index&idSite=7&period=day&date=yesterday#l=http$3A$2F$2Fforum.piwik.org.google.com
need create subdomain with name "forum.piwik.org" (knownUrls)
Bug: error in string
if (urlToRedirectWithoutPrefix.substr(0, testUrl.length) == testUrl)
in module Overlay in function startOverlaySession
The text was updated successfully, but these errors were encountered: