oss-sec mailing list archives
Re: CVE request: API key disclosure in piwik
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 25 Mar 2009 21:14:17 -0400 (EDT)
====================================================== Name: CVE-2009-1085 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1085 Reference: MLIST:[oss-security] 20090323 CVE request: API key disclosure in piwik Reference: URL:http://www.openwall.com/lists/oss-security/2009/03/23/2 Reference: MISC:http://marco-ziesing.de/archives/35-Schluesselloch-in-Piwik.html Reference: CONFIRM:http://dev.piwik.org/trac/ticket/599 Piwik 0.2.32 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the API key and other sensitive information via a direct request for misc/cron/archive.sh.
Current thread:
- CVE request: API key disclosure in piwik Hanno Böck (Mar 23)
- Re: CVE request: API key disclosure in piwik Steven M. Christey (Mar 25)