Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent content spoofing: display error if the URL is not valid #8693

Closed
mattab opened this issue Sep 2, 2015 · 2 comments
Closed

Prevent content spoofing: display error if the URL is not valid #8693

mattab opened this issue Sep 2, 2015 · 2 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
2.15.0

Comments

@mattab
Copy link
Member

mattab commented Sep 2, 2015

It is possible to display custom text content on any Piwik instance as follows:

spoofing

Reported to security team:

http://demo.piwik.org is vulnerable to
Content spoofing and exploitable to all users.

*Description:-* Content Spoofing An attack technique used to trick a
user into thinking that fake web site content is legitimate data and
is an attack targeting a user made possible by an injection
vulnerability in a web application. When an application does not
properly handle user supplied data, an attacker can supply content
to a web application, typically via a parameter value, that is
reflected back to the user.

Vulnerable URL- 

http://demo.piwik.org/index.php?module=Proxy&action=redirect&url=
(Text Here)

I wanted to publicly acknowledge this limited security issue - maybe you have a suggestion on how this should be fixed, or whether we should fix it at all?
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Sep 2, 2015
@haseebeqx
Copy link
Contributor

its not a security issue. it is a bug in the code
simple code rearrange will fix this issue. created a pull request #8719
which will fix this

@haseebeqx haseebeqx mentioned this issue Sep 6, 2015
Merged
@sgiehl sgiehl added this to the 2.15.0 milestone Sep 6, 2015
@sgiehl
Copy link
Member

sgiehl commented Sep 6, 2015

fixed with #8719

@sgiehl sgiehl closed this as completed Sep 6, 2015
@mattab mattab changed the title Content spoofing Prevent content spoofing: display error if the URL is not valid Oct 13, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Milestone
2.15.0
Development

No branches or pull requests
3 participants
@mattab @sgiehl @haseebeqx