Important Security Announcement: Piwik.org webserver got compromised by an attacker on 2012 Nov 26th, this attackerĀ added a malicious code in the Piwik 1.9.2 Zip file for a few hours. How do I know if my Piwik server is safe? You would be at risk only if you installed or updated to Piwik 1.9.2 on [...]
The current version of Piwik (1.8.2) is not affected by this vulnerability. Piwik neither uses nor includes the XmlRpc component from Zend Framework. Piwik users are, however, encouraged to upgrade to the latest versions of Piwik and PHP to take advantage of new features and bug fixes. References: ZF2011-01: Local file disclosure via XXE injection [...]
The current version of Piwik is not affected by this vulnerability. Since version 0.5 (released December 2009), Piwik checks (and sets, if required) the MySQL connection charset to UTF-8. Piwik users are, however, encouraged to upgrade to the latest versions of Piwik and PHP to take advantage of new features and bug fixes. Reference: ZF2011-02: [...]
The path disclosure weakness described in CVE-2011-3791 does not affect Piwik 1.1. Beginning with Piwik 0.6.3 (released June 2010), the installer creates Apache .htaccess and IIS web.config files to prevent direct access to .php files. Users upgrading from an earlier beta version of Piwik, or using a different web server, should consult their web server’s [...]
The Piwik 1.5 release addresses a critical security vulnerability, which affect all Piwik users that have let granted some access to the “anonymous” user. Users should upgrade immediately. Description Piwik 1.5 contains a remotely exploitable vulnerabiliy that could allow a remote attacker to execute arbitrary code. Only Installations that have granted untrusted view access to [...]
Multiple XSS vulnerabilties are fixed by the Piwik 1.1 release. Description: CVE-2011-004. Piwik versions prior to 1.1 are vulnerable to multiple XSS vulnerabilities, both persistent and reflected. This security update is rated critical, and Piwik users are strongly encouraged to update to the latest version of Piwik. The Piwik project and community thanks Stefan Esser [...]
Sites using the APS package of Piwik 0.5.4 (which we are referring to as, “Piwik Remix by Parallels”, per our trademark policy) may be vulnerable to a shared salt value which may allow an attacker to spoof trusted cookies or nonces. This is a third-party issue, specific to this APS package. The vendor has ceased [...]
No Piwik releases up to and including Piwik 0.6.4 are affected by this advisory as the Dojo bundle is not included in the Piwik distribution (or svn). Piwik users are, however, encouraged to upgrade to the latest version to take advantage of new features and bug fixes. Reference: ZF2010-07: Potential Security Issues in Bundled Dojo [...]
An arbitrary file inclusion vulnerability is fixed by the latest Piwik 0.6.4 release. Description: Piwik versions 0.6 through 0.6.3 are vulnerable to arbitrary, remote file inclusion using a directory traversal pattern in a crafted request for a data renderer. This vulnerability is rated critical, and Piwik users are strongly encouraged to update to the latest [...]
A non-persistent, cross-site scripting vulnerability (XSS) was found in Piwik’s Login form that reflected the form_url parameter without being properly escaped or filtered. To exploit this vulnerability, the attacker tricks a Piwik user into visiting a Login URL crafted by the attacker. While this is a low risk threat, Piwik users are encouraged to update [...]
Piwik 0.5.4 (released Dec. 18, 2009) and earlier versions are not affected by this security advisory to Zend_Log (disclosed Jan. 11, 2010) because Piwik uses UTF-8. Furthermore, Piwik is not affected by security advisories ZF2010-02 through ZF2010-06 because Piwik uses a subset of ZF which does not include Zend_Form, Zend_View, Zend_Dojo, Zend_Filter, Zend_File, Zend_Service, or [...]
The Piwik project acknowledges its exposure to the cookie exploit vulnerability described in Stefan Esser’s presentation, “Shocking News in PHP Exploitation“. The potential security vulnerability exists in all versions of Piwik prior to version 0.5. While no exploit code has been posted, this is a serious threat given Piwik’s increasing popularity. As such, we strongly [...]
The Piwik project confirms that a potential vulnerability exists due to a file included in a third-party library. The vulnerability is exploitable whether or not the web site has the PHP configuration directive register_globals=On. The list of affected Piwik releases is limited to Piwik versions 0.2.35, 0.2.36, 0.2.37, 0.4, 0.4.1, 0.4.2, and 0.4.3. Piwik version [...]
Reference: CVE-2009-1085 dated 03/25/2009 Contrary to the advisory, the Piwik project did not “confirm” this “vulnerability”. We have classified this issue as user error. The subject file, “misc/cron/archive.sh”, was intended to be a sample shell script. By default, archiving is an internal Piwik process, and an external “archive.sh” file is not required nor used in [...]
ZF2009-02: XSS vector in Zend_Filter_StripTags Piwik 0.2.33 (released Mar. 2, 2009) and earlier versions are not affected by this security advisory (disclosed Mar. 2, 2009) because Piwik uses a subset of ZF which does not include Zend_Filter. Piwik users are, however, encouraged to upgrade to take advantage of new features and bug fixes. Reference: Cross-site [...]
ZF2009-01: LFI vector in Zend_View::setScriptPath() and render() Piwik 0.2.31 (released Feb 18, 2009) and earlier versions are not affected by this security advisory (disclosed Feb. 17, 2009) because Piwik uses a subset of ZF which does not include Zend_View. Piwik users are, however, encouraged to upgrade to take advantage of new features and bug fixes. [...]
English
Comments: 22 Comments