Piwik 0.2.33, response to CVE-2009-1085

Reference: CVE-2009-1085 dated 03/25/2009

Contrary to the advisory, the Piwik project did not “confirm” this “vulnerability”. We have classified this issue as user error. The subject file, “misc/cron/archive.sh”, was intended to be a sample shell script. By default, archiving is an internal Piwik process, and an external “archive.sh” file is not required nor used in most installations. Users who required the cron-based archiving were expected to copy the file to a secure location and configure it to their environment, since the sample file is always overwritten by the software update process.

The only way to expose the API key in “archive.sh” would be for a user to manually edit this file in-situ. Piwik does not “store” the API key in “archive.sh” as alleged in the advisory — not through the installer, not through the admin panel. Piwik never configures this file with the superuser’s API key. To reiterate, Piwik never modifies this file.

Starting with Piwik version 0.2.33 (released Apr 7, 2009), “archive.sh” is production-ready and will programmatically fetch the API key from the user’s (private) configuration file.

Piwik users who have configured “archive.sh” (up to and including Piwik version 0.2.32) are advised to update to the latest version of Piwik, or restrict access to this script by either “.htaccess” or moving the script outside the web document root.