@mattab opened this Issue on September 2nd 2015 Owner

It is possible to display custom text content on any Piwik instance as follows:

spoofing

Reported to security team:

http://demo.piwik.org is vulnerable to
Content spoofing and exploitable to all users.

*Description:-* Content Spoofing An attack technique used to trick a
user into thinking that fake web site content is legitimate data and
is an attack targeting a user made possible by an injection
vulnerability in a web application. When an application does not
properly handle user supplied data, an attacker can supply content
to a web application, typically via a parameter value, that is
reflected back to the user.

Vulnerable URL- 

http://demo.piwik.org/index.php?module=Proxy&action=redirect&url=
(Text Here)

I wanted to publicly acknowledge this limited security issue - maybe you have a suggestion on how this should be fixed, or whether we should fix it at all?

@haseebeqx commented on September 6th 2015 Contributor

its not a security issue. it is a bug in the code
simple code rearrange will fix this issue. created a pull request #8719
which will fix this

@sgiehl commented on September 6th 2015 Member

fixed with #8719

This Issue was closed on September 6th 2015
Powered by GitHub Issue Mirror