Detections
Analytics

Piwik < 0.5 unserialize() PHP Code Execution Vulnerability

high Nessus Network Monitor Plugin ID 5263

Synopsis

The remote web server is hosting a PHP application that is vulnerable to a remote code execution vulnerability.

Description

The remote web server is hosting Piwik, a web analytics application written in PHP. The installed version is earlier than 0.5. Such versions are potentially affected by a remote PHP code execution vulnerability because the application unserializes data from user supplied cookies. An attacker could send a specially crafted cookie which, when unserialized, could be used to upload arbitrary files or possibly execute arbitrary PHP code.

Solution

Upgrade to Piwik 0.5 or later.

See Also

http://piwik.org/blog/2009/12/piwik-response-to-shocking-news-in-php-exploitation

Plugin Details

Severity: High

ID: 5263

Family: CGI

Published: 12/9/2009

Updated: 3/6/2019

Vulnerability Information

CPE: cpe:/a:piwik:piwik

Patch Publication Date: 12/9/2009

Vulnerability Publication Date: 12/9/2009

Reference Information

BID: 37312