Hello!
Attached is a patch that upgrades the mixpanel Javascript to the latest version and fixes an XSS vulnerability. Basically, anyone with 'access administration pages' could set the Mixpanel token to something like: ");alert("hey!
This would, of course, throw up an alert on every page!
I'd also recommend creating a new permission for administering Mixpanel, because 'access administration pages' is frequently given to site managers, and you might not want to let them mess with it. But that's an entirely different issue.
Thanks!
David.
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | mixpanel-token-xss.patch | 940 bytes | dsnopek |
| #3 | 0001-1461976-Adding-arg-to-mixpanel_get_defaults.patch | 1.22 KB | wundo |
| mixpanel-javascript.patch | 2.37 KB | dsnopek |
Comments
Comment #1
dsnopekComment #2
dsnopekGah! Trying to set to 'needs review'.
Comment #3
wundo commentedRe-rolling the patch only with the XSS fix.
Comment #4
dsnopekThe patch you attached appears to be for something else entirely. Also, what is your rationale for keeping the old mixpanel Javascript library? Is that what the Drupal module for version 1.x is going to be pinned at? Should we make a 2.x branch which uses the latest Javascript library or something similar?
Comment #5
dsnopekI've attached a patch which is just the XSS fix out of the original. I also updated the issue on security.drupal.org. I assume you wanted to split it for the security team?
Comment #6
dsnopekChanging this issue to only be about the XSS vulnerability.
I created a new issue to track upgrading the Mixpanel Javascript library to version 2: #1849574: Upgrade Mixpanel Javascript to version 2.0
Comment #7
dsnopekCommitted patch.
Comment #8.0
(not verified) commentedSecurity issue -- unpublishing
Comment #9
avpaderno