Matomo 0.5, response to “Shocking News in PHP Exploitation”

Contents

The Matomo (Piwik) project acknowledges its exposure to the cookie exploit vulnerability described in Stefan Esser’s presentation, Shocking News in PHP Exploitation.

The potential security vulnerability exists in all versions of Matomo prior to version 0.5. While no exploit code has been posted, this is a serious threat given Matomo’s increasing popularity. As such, we strongly encourage all Matomo users to upgrade as soon as possible to the latest version of Matomo.

If you are unable to update to Matomo 0.5 or later, a small patch (released Dec. 8, 2009) to “core/Cookie.php” is available here.

Updated Dec 10, 2009: Candidate CVE identifier assigned: CVE-2009-4137
Updated Jan 14, 2011: Related CVE identifier: CVE-2009-4417

Enjoyed this post?
Join the 160,000+ subscribers who receive the Matomo Newsletter straight to their inbox every month
Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.

Get started with Matomo

A powerful web analytics platform that gives you and your business 100% data ownership and user privacy protection.

No credit card required.

Free forever.