mailing list archives
Re: CVE request: XSS in piwik before 1.9
From: Matthieu Aubry <matthieu.aubry () gmail com>
Date: Wed, 24 Oct 2012 11:12:39 +1300
I hate to break it to you but I did a quick file diff and the XSS
stuff is pretty easy to spot. Any attacker who wants to find the
vulnerability will, quickly. Not giving out information really only
harms the people that actually benefit from knowing (e.g. your users
and vendors, it's just one more thing to figure out).\
We know and understand how diff work, remember that we are building a major
open source software? So yes we are fully aware how easy it is to find XSS
by doing a diff...
We disagree that giving out exploits and more info about the hacks, will
help security and our users : it will NOT.
Supporting researchers to find security bugs in open source projects,
however has helped us a lot: http://piwik.org/security/