@mattab opened this Issue on April 1st 2010 Owner

I saw on twitter a Piwik XSS tweet pointing to http://packetstormsecurity.org/1003-exploits/piwik-xss.txt

we should fix it and check other variables to ensure there is no xss left.

I re-enabled the sensitive ticket plugin for this one, and set it to sensitive, which seems to work.

@robocoder commented on April 2nd 2010 Contributor

(In [2038]) refs #1269

@robocoder commented on April 2nd 2010 Contributor

(In [2039]) refs #1269

@robocoder commented on April 2nd 2010 Contributor

(In [2047]) refs #1269

@robocoder commented on April 2nd 2010 Contributor

While [fixed the issue (by validating/filtering/escaping form_url), 2047 is a better solution -- it eliminates form_url entirely as a parameter/hidden form field.

I've drafted a blog entry for the security advisory and will request a CVE later for the 0.6 release.

@mattab commented on April 24th 2010 Owner

I disabled the sensitivity plugin for now, also closing this.. please reopen if there is open issue.

This Issue was closed on April 24th 2010
Powered by GitHub Issue Mirror