oss-sec mailing list archives
Re: CVE request: XSS in piwik before 1.9
From: Matthieu Aubry <matthieu.aubry () gmail com>
Date: Wed, 24 Oct 2012 11:12:39 +1300
I hate to break it to you but I did a quick file diff and the XSS stuff is pretty easy to spot. Any attacker who wants to find the vulnerability will, quickly. Not giving out information really only harms the people that actually benefit from knowing (e.g. your users and vendors, it's just one more thing to figure out).\
We know and understand how diff work, remember that we are building a major open source software? So yes we are fully aware how easy it is to find XSS by doing a diff... We disagree that giving out exploits and more info about the hacks, will help security and our users : it will NOT. Supporting researchers to find security bugs in open source projects, however has helped us a lot: http://piwik.org/security/
Current thread:
- CVE request: XSS in piwik before 1.9 Hanno Böck (Oct 21)
- Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Matthieu Aubry (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 22)
- Re: Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Solar Designer (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Matthieu Aubry (Oct 23)
- Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 23)
- Re: CVE request: XSS in piwik before 1.9 Stuart Henderson (Oct 24)
- Re: CVE request: XSS in piwik before 1.9 Matthieu Aubry (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 22)