oss-sec mailing list archives

Re: Piwik <= 0.4.5 Cookie Unserialize() Vulnerability

From: Josh Bressers <bressers () redhat com>
Date: Thu, 10 Dec 2009 11:24:30 -0500 (EST)

Please use CVE-2009-4137 for this.

Sadly I can't find other references. Even the Piwik changelog is a bit slient
on this.

Thanks.

-- 
    JB


----- "Eren Türkay" <eren () pardus org tr> wrote:

Hello,

Piwik is an open source web analytics software program used by various

sites.

Stefan Esser found a vulnerability in Piwik, which can allow arbitrary
files 
to be written into writable locations on the webserver. He says, it is
also 
possible to execute arbitrary PHP code directly in newer versions of
Piwik.

The original advisory is here: 
http://www.suspekt.org/2009/12/09/advisory-032009-piwik-cookie-
unserialize-vulnerability/

I think, it is worth assigning a CVE.

Regards,
Eren


-- 
    JB

Current thread:

Piwik <= 0.4.5 Cookie Unserialize() Vulnerability Eren Türkay (Dec 09)
- <Possible follow-ups>
- Re: Piwik <= 0.4.5 Cookie Unserialize() Vulnerability Josh Bressers (Dec 10)
- Re: Piwik <= 0.4.5 Cookie Unserialize() Vulnerability Anthon Pang (Dec 14)