Piwik core/Loader.php Trojaned Distribution

high Nessus Plugin ID 63079

Synopsis

A web application hosted on the remote web server contains a backdoor.

Description

The version of Piwik installed on the remote web server contains a trojaned backdoor, and allows the execution of arbitrary PHP code subject to the privileges under which the web server operates.

It is likely to have been installed from a copy of the file 'latest.zip' downloaded from the project's website between 15:43 UTC and 23:59 UTC on 11/26/2012. The file was modified to include backdoored code at the end of the application's 'core/Loader.php' script, to make available a shell command launcher as 'core/DataTable/Filter/Megre.php', and to notify an attacker through a web form hosted on prostoivse.com.

Note that Nessus has only verified code execution through the backdoored code.

Solution

Refer to the project's blog post for steps from the vendor on cleaning an affected installation. Additionally, conduct a full security review of the host, as it may have been compromised.

See Also

https://forum.matomo.org/t/alert-security-issue-latest-zip-is-infected/8416

http://www.nessus.org/u?e9c4045a

Plugin Details

Severity: High

ID: 63079

File Name: piwik_core_loader_backdoor.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 11/28/2012

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:piwik:piwik

Required KB Items: www/PHP, installed_sw/Piwik

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/27/2012

Vulnerability Publication Date: 11/26/2012

Reference Information

BID: 56716