The Piwik project confirms that a potential vulnerability exists due to a file included in a third-party library. The vulnerability is exploitable whether or not the web site has the PHP configuration directive register_globals=On. The list of affected Piwik releases is limited to Piwik versions 0.2.35, 0.2.36, 0.2.37, 0.4, 0.4.1, 0.4.2, and 0.4.3. Piwik version 0.4.4 and later are not affected.

As of Piwik version 0.4.4 (released Oct.21, 2009), the subject file, “ofc_upload_image.php”, is no longer included. Moreover, during the software update process, Piwik will attempt to remove the file, if found. The Piwik project has also advised the developers of Open Flash Chart (and other open source projects known to use the same library), but we make no representation on their behalf.

Since the Secunia advisory links to exploit code, we urge Piwik users to update to the latest version of Piwik immediately.

Piwik users who are unable to update to the latest version are advised to simply remove the file located at “libs/open-flash-chart/php-ofc-library/ofc_upload_image.php”.

We also recommend that users secure their web server environment by setting register_globals=Off, but advise caution as this may impact the operation of other web applications.

Updated: Dec 14, 2009: assigned candidate CVE-2009-4140


Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.