Improper access control

2009-03-2518:30:00

PRIOn knowledge base

www.prio-n.com

6.8 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

65.4%

JSON

Piwik 0.2.32 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the API key and other sensitive information via a direct request for misc/cron/archive.sh.

CPENameOperatorVersion
matomoeq0.2.25
matomoeq0.2.26
matomoeq0.2.27
matomoeq0.2.28
matomoeq0.2.29
matomoeq0.2.30
matomoeq0.2.31
matomole0.2.32

Name	Operator	Version
matomo	eq	0.2.25
matomo	eq	0.2.26
matomo	eq	0.2.27
matomo	eq	0.2.28
matomo	eq	0.2.29
matomo	eq	0.2.30
matomo	eq	0.2.31
matomo	le	0.2.32

References

dev.piwik.org/trac/ticket/599

marco-ziesing.de/archives/35-Schluesselloch-in-Piwik.html

www.openwall.com/lists/oss-security/2009/03/23/2