oss-security - Re: CVE request: XSS in piwik before 1.9

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <CALYzWgyFwOpPAeSPUZieLw6OG02RUdkyePC=v3UY4SSs1LJ2aw@mail.gmail.com>
Date: Wed, 24 Oct 2012 11:12:39 +1300
From: Matthieu Aubry <matthieu.aubry@...il.com>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, Hanno Böck <hanno@...eck.de>
Subject: Re: CVE request: XSS in piwik before 1.9

> I hate to break it to you but I did a quick file diff and the XSS
> stuff is pretty easy to spot. Any attacker who wants to find the
> vulnerability will, quickly. Not giving out information really only
> harms the people that actually benefit from knowing (e.g. your users
> and vendors, it's just one more thing to figure out).\

We know and understand how diff work, remember that we are building a major
open source software? So yes we are fully aware how easy it is to find XSS
by doing a diff...

We disagree that giving out exploits and more info about the hacks, will
help security and our users : it will NOT.
Supporting researchers to find security bugs in open source projects,
however has helped us a lot: http://piwik.org/security/

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.