Update for Piwik web analysis software fixes security hole
Version 0.5 of the free Piwik web analytics tool has been released to fix a cookie-related security hole. Once installed on a web server, Piwik provides detailed reports on website visitors, including search engines and keywords used, language and the most popular pages. The Piwik developers consider their tool to be an open source alternative to Google Analytics.
The security problem is caused by the unserialize() PHP function used when reading user cookies and converting the data they contain into PHP data. Attackers are reportedly able to upload files onto a server or execute arbitrary code – and gain control of a system – via specially crafted cookies.
The unserialize problem in connection with the processing of user input via PHP is not generally a new issue. Security firm SektionsEins has looked at the problem in detail ("Shocking News in PHP Exploitation") and found the current vulnerability not only in Piwik, but also in other PHP applications including the PHPIDS PHP Intrusion Detection System. With PHPIDS the problem had been solved by version 0.6.3.1, issued last October.
More details about the release can be found in the change log. Piwik is released under the GNU General Public License (GPL).
- PHPIDS Unserialize() Vulnerability, security advisory from SektionEins.
- Piwik Cookie Unserialize() Vulnerability, security advisory from SektionEins.