piwik -- php code execution

2009-12-10T00:00:00
ID FCBF56DD-E667-11DE-920A-00248C9B4BE7
Type freebsd
Reporter FreeBSD
Modified 2010-05-02T00:00:00

Description

secunia reports:

Stefan Esser has reported a vulnerability in Piwik, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to the core/Cookie.php script using "unserialize()" with user controlled input. This can be exploited to e.g. execute arbitrary PHP code via the "wakeup()" or "destruct()" methods of a serialized object passed via an HTTP cookie.