icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Piwik < 1.1.0 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is hosting a PHP application that is vulnerable to multiple attack vectors.

Description

The remote web server is hosting Piwik, a web analytics application written in PHP.

Versions of Piwik earlier than 1.1.0 are potentially affected by multiple vulnerabilities :

- A flaw exists in the 'Piwik_Common::getIP' function which fails to properly determine the client IP address. (Bug 457)

- Piwik fails to prevent the login form from being framed in another website. (Bug 1679)

- An unspecified flaw exists relating to Cookie.php's failure to set the secure flag for the session cookie in https sessions. (Bug 1795)

- A denial-of-service vulnerability exists because Piwik fails to properly limit the number of files stored under '/tmp/sessions/' (Bug 1910)

- An unspecified cross-site scripting vulnerability exists.

Solution

Upgrade to Piwik 1.1.0 or later.