New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xss affecting IE6, IE7 and IE8 #6053
Comments
Once this issue is verified and reproduced, we shall send a bounty to the security researcher Dingjie (Daniel) Yang, as per our security bug bounty program. |
Something like that included in index.php could fix it: $getParamsWithHtmlAllowed = array('foo', 'bar'); foreach(array_diff_key($_GET, array_flip($getParamsWithHtmlAllowed)) as $key => $value) { $_GET[$key] = htmlspecialchars($value); } No? |
@kylekatarnls a "rule" for all is also dangerous...please not this way 😄 |
By default, any parameter need html, so if any exceptions are forgotten, no dangers. And a global is more efficient than dupplicate a code in several places. So what do you suggest? Give it if you have a better way. |
@kylekatarnls actually @ThaDafinser is right, the global is not a proper solution, as it would break many other things. We'll find proper fix no worries. |
@kylekatarnls remember |
This security issue occurs because the url contains The solution we are discussing is to redirect URL so |
Here is the report to our security team
reproduce
http://demo.piwik.org/index.php/.html?date=yesterday&module=API&format=json&method=SitesManager.getImageTrackingCode&idSite=1&period=day&piwikUrl=%3Cimg%20src%3dx%20onerror%3dalert('XSS')%3E&actionName=&token_auth=12121
Also http://demo.piwik.org/index.php/.html?date=yesterday&module=API&format=json&method=SitesManager.getImageTrackingCode&idSite="><img%20src=x%20onerror=alert('XSS')>&period=day&piwikUrl=1&actionName=&token_auth=12121
Also http://demo.piwik.org/index.php/.html?module=API&method=UserCountry.getLocationFromIP&ip="><image%20src=x%20onerror=alert('XSS')>&format=JSON&
double check whether you have filtered the parameter customCampaignKeywordParam,customCampaignNameQueryParam
Just make a request to your demo website under IE 7, IE8(I tested on IE8.0.6001.17184 Version), you will find injected javascript code
<img src=x onerror=alert('XSS')>
will be executed. You will be unable to exploit these vulnerability in a modern browser because the content type of the response body of the request is application/json. Modern browser will not render this content-type. That is why you could only exploit it in IE6, IE7 and IE8(some versions).details
If you check the source code, it is basically caused by the following code in API.php: https://github.com/piwik/piwik/blob/8d1f1b39f26bc00394af5ac220b6bd97ca89537f/plugins/SitesManager/API.php#L129
There is no check or validation for the parameter piwikUrl to filter malicious characters. This vulnerability has been there since Piwik 2.2.0 Version. Please let me know. In the attachment is a screenshot of the exploitation against demo.piwik.org website in IE7.
Note from Piwik security team
We generally do not communicate via issues on XSS issues in Piwik (some have called it
security by obscurity
but we definitely disagree with that). Because this issue affects only IE6 IE7 IE8 it has limited impact and so we decided to track it in a github issue.The text was updated successfully, but these errors were encountered: