Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120318072041.GA13061@kludge.henri.nerv.fi>
Date: Sun, 18 Mar 2012 09:20:41 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: piwik before 1.6

This case is still not handled. Information from the URL:

The Piwik 1.5 release addresses a critical security vulnerability, which affect all Piwik users that have let granted some access to the "anonymous" user. Users should upgrade immediately.

Piwik 1.5 contains a remotely exploitable vulnerabiliy that could allow a remote attacker to execute arbitrary code. Only Installations that have granted untrusted view access to their stats (ie. grant "view" access to a website to anonymous) are at risk.

CVE ID: not yet assigned
Known Versions Affected: Piwik 1.2, 1.3, and 1.4

This issue was disclosed to us privately and safely. Our thanks to Neal Poole for discovering and reporting the issue to the Piwik Security Team. Neal is the first bounty recipient of Piwik's Security Bug Bounty program.

This release also includes Zend Framework 1.11.6 which addresses a potential SQL injection vector when using PDO_MySql. Piwik users should be unaffected as it has used UTF-8 since Piwik 0.5.

- Henri Salo

On Thu, Oct 20, 2011 at 12:28:02PM -0400, Josh Bressers wrote:
> Steve,
> 
> Can MITRE take this thread. I'm a bit fearful as to what this one is going to become.
> 
> Thanks.
> 
> ----- Original Message -----
> > p.s. I see a CVE ID hasn't been issued for:
> > 
> > http://piwik.org/blog/2011/06/piwik-1-5-security-advisory/
> > 
> 
> -- 
>     JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.