Piwik Response to Zend Framework Security Advisory ZF2010-01

Piwik 0.5.4 (released Dec. 18, 2009) and earlier versions are not affected by this security advisory to Zend_Log (disclosed Jan. 11, 2010) because Piwik uses UTF-8. Furthermore, Piwik is not affected by security advisories ZF2010-02 through ZF2010-06 because Piwik uses … Read More

Piwik 0.5, response to “Shocking News in PHP Exploitation”

The Piwik project acknowledges its exposure to the cookie exploit vulnerability described in Stefan Esser’s presentation, “Shocking News in PHP Exploitation“. The potential security vulnerability exists in all versions of Piwik prior to version 0.5. While no exploit code has … Read More

Piwik 0.4.4, response to Secunia Advisory SA37078

The Piwik project confirms that a potential vulnerability exists due to a file included in a third-party library. The vulnerability is exploitable whether or not the web site has the PHP configuration directive register_globals=On. The list of affected Piwik releases … Read More

Piwik 0.2.33, response to CVE-2009-1085

Reference: CVE-2009-1085 dated 03/25/2009 Contrary to the advisory, the Piwik project did not “confirm” this “vulnerability”. We have classified this issue as user error. The subject file, “misc/cron/archive.sh”, was intended to be a sample shell script. By default, archiving is … Read More