Sites using the APS package of Piwik 0.5.4 (which we are referring to as, “Piwik Remix by Parallels”, per our trademark policy) may be vulnerable to a shared salt value which may allow an attacker to spoof trusted cookies or nonces.

This is a third-party issue, specific to this APS package. The vendor has ceased maintenance of the package and did not respond to inquiries re: a coordinated disclosure.

Update: If you prefer to use the remix by Parallels, the APS package was updated to include Piwik 1.0 on September 1st.

Description:

The Piwik 0.5.4 remix by Parallels (version 0.5.4-6) bundles a SaaS Application Packaging Standard installer with Piwik 0.5.4. As of today, this package continues to be distributed via the APSstandard.org Application Catalog. The remix contains an installation script which bypasses the normal Piwik installer, and uses a template called “config.ini.php.in” that contains a hard-coded salt value.

salt = "cbdcd503704b27d3a5d51a0c866d8289"

As a result, all sites that install the remix share a common salt value. This salt value is normally secret and pseudo-randomly generated for each installation. In Piwik, the secret salt is used in signing cookies and nonces.

This vulnerability was discovered by the Piwik team and is ranked as low severity.

Solution:

The Piwik team strongly urges that users of the APS package take the following steps:

  1. Manually edit config/config.ini.php, changing the salt value to a random string of characters (of the same length).
  2. Download the latest Piwik release from an official distribution channel, and extract the files, overwriting your existing installation. Browsing to the dashboard should then trigger a database update.

Contact:

Report security vulnerabilities or concerns to security@piwik.org.


Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.