Detections
Analytics

Piwik core/Loader.php Trojaned Distribution

high Nessus Plugin ID 63079

Language:

Synopsis

A web application hosted on the remote web server contains a backdoor.

Description

The version of Piwik installed on the remote web server contains a trojaned backdoor, and allows the execution of arbitrary PHP code subject to the privileges under which the web server operates.

It is likely to have been installed from a copy of the file 'latest.zip' downloaded from the project's website between 15:43 UTC and 23:59 UTC on 11/26/2012. The file was modified to include backdoored code at the end of the application's 'core/Loader.php' script, to make available a shell command launcher as 'core/DataTable/Filter/Megre.php', and to notify an attacker through a web form hosted on prostoivse.com.

Note that Nessus has only verified code execution through the backdoored code.

Solution

Refer to the project's blog post for steps from the vendor on cleaning an affected installation. Additionally, conduct a full security review of the host, as it may have been compromised.

See Also

https://forum.matomo.org/t/alert-security-issue-latest-zip-is-infected/8416

http://www.nessus.org/u?e9c4045a

Plugin Details

Severity: High

ID: 63079

File Name: piwik_core_loader_backdoor.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 11/28/2012

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Vulnerability Information

CPE: cpe:/a:piwik:piwik

Required KB Items: www/PHP, installed_sw/Piwik

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/27/2012

Vulnerability Publication Date: 11/26/2012

Reference Information

BID: 56716