The Piwik project acknowledges its exposure to the cookie exploit vulnerability described in Stefan Esser’s presentation, Shocking News in PHP Exploitation.

The potential security vulnerability exists in all versions of Piwik prior to version 0.5. While no exploit code has been posted, this is a serious threat given Piwik’s increasing popularity. As such, we strongly encourage all Piwik users to upgrade as soon as possible to the latest version of Piwik.

If you are unable to update to Piwik 0.5 or later, a small patch (released Dec. 8, 2009) to “core/Cookie.php” is available here.

Updated Dec 10, 2009: Candidate CVE identifier assigned: CVE-2009-4137
Updated Jan 14, 2011: Related CVE identifier: CVE-2009-4417


Anthon Pang

- active contributor for years, Anthon has designed some some major features in Piwik such as the first version of the Javascript tracker. He still regularly advises the team.