« previous next »
Pages: [1]   Go Down

Author Topic: Piwik vulnerable to a webapps exploit?  (Read 1427 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Piwik vulnerable to a webapps exploit?
« on: May 23, 2017, 10:12:01 PM »
Where we stumbled upon this piece of code? -> https://sritest.io/#report/e945a03b-e6b4-4aff-be70-0b0eb07a2f1c
and yes it is the very code with the missing sri hash: -https://ganado.org/anpw/piwik.js
33 sources and 11 sinks found: http://www.domxssscanner.com/scan?url=https%3A%2F%2Flegible.es
Errors in code
Quote
error: line:40: SyntaxError: missing ) in parenthetical:
          error: line:40: }var ai=ak.clientWidth;if(Q.innerWidth&&ai>Q.innerWidth){ai=Q.innerWidth}var ah=ak.clientHeight;if(Q.innerHeight&&ah>Q.innerHeight){ah=Q.innerHeight}return((al.bottom>0||aj)&&al.right>0&&al.left<ai&&((al.top&lt;ah)||aj))},isNodeVisible:function(ai){var ah
          error: line:40: .......................................
And might also be endangering your privacy: https://gcache.ghostery.com/gcache?n=UGl3aWsgQW5hbHl0aWNz&s=aHR0cDovL3N0YXRpc3RpY3MubWVkaS5kZS9waXdpay5qcw%3D%3D
-> https://urlscan.io/result/b2ee6b44-001f-48fd-9dcc-8b15b2ba0622#summary
https://urlscan.io/api/v1/result/b2ee6b44-001f-48fd-9dcc-8b15b2ba0622/

Piwik PHP exploitable: https://www.exploit-db.com/exploits/40724/  From Mike Shema we know this is a very dangerous threat
with this JavaScript tracking client.


polonus (volunteer website security analyst and website error-hunter)
« Last Edit: May 23, 2017, 11:28:27 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »