Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: XSS in piwik before 1.9
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 23 Oct 2012 22:13:34 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/23/2012 04:12 PM, Matthieu Aubry wrote:


I hate to break it to you but I did a quick file diff and the XSS 
stuff is pretty easy to spot. Any attacker who wants to find the 
vulnerability will, quickly. Not giving out information really
only harms the people that actually benefit from knowing (e.g. your
users and vendors, it's just one more thing to figure out).\


We know and understand how diff work, remember that we are building
a major open source software? So yes we are fully aware how easy it
is to find XSS by doing a diff...

We disagree that giving out exploits and more info about the hacks,
will help security and our users : it will NOT. Supporting
researchers to find security bugs in open source projects, however
has helped us a lot: http://piwik.org/security/

I never said anything about giving out exploits.

I simply pointed out that trying to hide details of an issue is only
going to annoy legitimate users/vendors and does not to actually
protect against attackers who also know how to use diff. Transparency
in the security process is important, it helps build trust, and it
helps users/vendors deal with the issues more quickly and efficiently.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQh2ruAAoJEBYNRVNeJnmT2IEQAIzp9Uiuof1Uj2bgxZEZQHPU
bdNIvCvmuOR4r9GLdOb2ok1NXIdK1yNI6Hm8g13pE4cfS/m8JJw12gKlUXFn0DxM
CcMYH+x97yNP2DJbbXWxNUT26E556WDlu5zZhV/wxfDEJtRyYiHt/eSfsO4pS/fF
BEhb0wZZhghNN0vvUVmsnrQPpX5y32ObJIQ6K1WdkEwA3g/c5+U31krhJvoI//q0
JNiprR35Ywvk+J5j1ZfA6EaLow+VnqVDuwyAl3KxLe5hyxcwvjSepddulFzrYxU9
8a1cN6EZb6YSM+5UHcPnOC/upky/32dMfHRkZrJxT14hV7rHMvkAYvxhgtPCeKyR
K71l3lCFJa2hy0P0DDoFjbYi6HwQkZbfmz3owADKCuwIc7OUdD4I2NXiAKH1st3y
zVX8GuTk2yaRBxKVKEb5A8x+Ke9rSSbAo4ys+IhYToToWk7Mdlmuifniq2QahLNB
pOhXNzMzfKKlgW5CxwFv6UnKiekvb3UYD6a7UeQ26aWMKuZlOT1ui4ipM2Ox1U1l
9Kv0OR3AlZslG3jaHTPPOIIF45VU8K+p9p1rGbvZOUurnfkrhuKXUqUDqDQG/YN8
Bn7fb09iNEM3S4tut+71JRleT96nmx9DUH5cYm7cTgLPzcC98AW0/wUK/Sn/5WRJ
xiAyZYYPtHTgvebejEe+
=1HLT
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]