oss-sec mailing list archives

Piwik <= 0.4.5 Cookie Unserialize() Vulnerability

From: Eren Türkay <eren () pardus org tr>
Date: Wed, 9 Dec 2009 22:03:56 +0200

Hello,

Piwik is an open source web analytics software program used by various 
sites.

Stefan Esser found a vulnerability in Piwik, which can allow arbitrary files 
to be written into writable locations on the webserver. He says, it is also 
possible to execute arbitrary PHP code directly in newer versions of Piwik.

The original advisory is here: 
http://www.suspekt.org/2009/12/09/advisory-032009-piwik-cookie-
unserialize-vulnerability/

I think, it is worth assigning a CVE.

Regards,
Eren

Current thread:

Piwik <= 0.4.5 Cookie Unserialize() Vulnerability Eren Türkay (Dec 09)
- <Possible follow-ups>
- Re: Piwik <= 0.4.5 Cookie Unserialize() Vulnerability Josh Bressers (Dec 10)
- Re: Piwik <= 0.4.5 Cookie Unserialize() Vulnerability Anthon Pang (Dec 14)