Reference: CVE-2009-1085 dated 03/25/2009

Contrary to the advisory, the Piwik project did not “confirm” this “vulnerability”. We have classified this issue as user error. The subject file, “misc/cron/archive.sh”, was intended to be a sample shell script. By default, archiving is an internal Piwik process, and an external “archive.sh” file is not required nor used in most installations. Users who required the cron-based archiving were expected to copy the file to a secure location and configure it to their environment, since the sample file is always overwritten by the software update process.

The only way to expose the API key in “archive.sh” would be for a user to manually edit this file in-situ. Piwik does not “store” the API key in “archive.sh” as alleged in the advisory — not through the installer, not through the admin panel. Piwik never configures this file with the superuser’s API key. To reiterate, Piwik never modifies this file.

Starting with Piwik version 0.2.33 (released Apr 7, 2009), “archive.sh” is production-ready and will programmatically fetch the API key from the user’s (private) configuration file.

Piwik users who have configured “archive.sh” (up to and including Piwik version 0.2.32) are advised to update to the latest version of Piwik, or restrict access to this script by either “.htaccess” or moving the script outside the web document root.


Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.