Re: CVE request: piwik before 1.6

[Kurt Seifried <kseifried () redhat com>]

On 03/18/2012 01:20 AM, Henri Salo wrote:
> This case is still not handled. Information from the URL:
>
> The Piwik 1.5 release addresses a critical security vulnerability, which affect all Piwik users that have let granted 
> some access to the "anonymous" user. Users should upgrade immediately.
>
> Piwik 1.5 contains a remotely exploitable vulnerabiliy that could allow a remote attacker to execute arbitrary code. 
> Only Installations that have granted untrusted view access to their stats (ie. grant "view" access to a website to 
> anonymous) are at risk.
>
> CVE ID: not yet assigned
> Known Versions Affected: Piwik 1.2, 1.3, and 1.4
>
> This issue was disclosed to us privately and safely. Our thanks to Neal Poole for discovering and reporting the issue 
> to the Piwik Security Team. Neal is the first bounty recipient of Piwik's Security Bug Bounty program.
>
> This release also includes Zend Framework 1.11.6 which addresses a potential SQL injection vector when using 
> PDO_MySql. Piwik users should be unaffected as it has used UTF-8 since Piwik 0.5.
>
> - Henri Salo

http://piwik.org/blog/2011/06/piwik-1-5-security-advisory/

Please use CVE-2011-4941 for this issue.




-- 
Kurt Seifried Red Hat Security Response Team (SRT)