oss-sec mailing list archives
Re: CVE request: XSS in piwik before 1.9
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 23 Oct 2012 22:13:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/23/2012 04:12 PM, Matthieu Aubry wrote:
I hate to break it to you but I did a quick file diff and the XSS stuff is pretty easy to spot. Any attacker who wants to find the vulnerability will, quickly. Not giving out information really only harms the people that actually benefit from knowing (e.g. your users and vendors, it's just one more thing to figure out).\ We know and understand how diff work, remember that we are building a major open source software? So yes we are fully aware how easy it is to find XSS by doing a diff... We disagree that giving out exploits and more info about the hacks, will help security and our users : it will NOT. Supporting researchers to find security bugs in open source projects, however has helped us a lot: http://piwik.org/security/
I never said anything about giving out exploits. I simply pointed out that trying to hide details of an issue is only going to annoy legitimate users/vendors and does not to actually protect against attackers who also know how to use diff. Transparency in the security process is important, it helps build trust, and it helps users/vendors deal with the issues more quickly and efficiently. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQh2ruAAoJEBYNRVNeJnmT2IEQAIzp9Uiuof1Uj2bgxZEZQHPU bdNIvCvmuOR4r9GLdOb2ok1NXIdK1yNI6Hm8g13pE4cfS/m8JJw12gKlUXFn0DxM CcMYH+x97yNP2DJbbXWxNUT26E556WDlu5zZhV/wxfDEJtRyYiHt/eSfsO4pS/fF BEhb0wZZhghNN0vvUVmsnrQPpX5y32ObJIQ6K1WdkEwA3g/c5+U31krhJvoI//q0 JNiprR35Ywvk+J5j1ZfA6EaLow+VnqVDuwyAl3KxLe5hyxcwvjSepddulFzrYxU9 8a1cN6EZb6YSM+5UHcPnOC/upky/32dMfHRkZrJxT14hV7rHMvkAYvxhgtPCeKyR K71l3lCFJa2hy0P0DDoFjbYi6HwQkZbfmz3owADKCuwIc7OUdD4I2NXiAKH1st3y zVX8GuTk2yaRBxKVKEb5A8x+Ke9rSSbAo4ys+IhYToToWk7Mdlmuifniq2QahLNB pOhXNzMzfKKlgW5CxwFv6UnKiekvb3UYD6a7UeQ26aWMKuZlOT1ui4ipM2Ox1U1l 9Kv0OR3AlZslG3jaHTPPOIIF45VU8K+p9p1rGbvZOUurnfkrhuKXUqUDqDQG/YN8 Bn7fb09iNEM3S4tut+71JRleT96nmx9DUH5cYm7cTgLPzcC98AW0/wUK/Sn/5WRJ xiAyZYYPtHTgvebejEe+ =1HLT -----END PGP SIGNATURE-----
Current thread:
- CVE request: XSS in piwik before 1.9 Hanno Böck (Oct 21)
- Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Matthieu Aubry (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 22)
- Re: Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Solar Designer (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Matthieu Aubry (Oct 23)
- Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 23)
- Re: CVE request: XSS in piwik before 1.9 Stuart Henderson (Oct 24)
- Re: CVE request: XSS in piwik before 1.9 Matthieu Aubry (Oct 22)
- Re: CVE request: XSS in piwik before 1.9 Kurt Seifried (Oct 22)