Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Piwik < 1.1.0 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is hosting a PHP application that is vulnerable to multiple attack vectors.

Description

The remote web server is hosting Piwik, a web analytics application written in PHP.

Versions of Piwik earlier than 1.1.0 are potentially affected by multiple vulnerabilities :

- A flaw exists in the 'Piwik_Common::getIP' function which fails to properly determine the client IP address. (Bug 457)

- Piwik fails to prevent the login form from being framed in another website. (Bug 1679)

- An unspecified flaw exists relating to Cookie.php's failure to set the secure flag for the session cookie in https sessions. (Bug 1795)

- A denial-of-service vulnerability exists because Piwik fails to properly limit the number of files stored under '/tmp/sessions/' (Bug 1910)

- An unspecified cross-site scripting vulnerability exists.

Solution

Upgrade to Piwik 1.1.0 or later.