Vulners
Lucene search
Piwik 2.14.3 PHP Object Injection Vulnerability
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | piwik -- multiple vulnerabilities | 17 Nov 201500:00 | – | freebsd |
 | Piwik PHP Object Injection Vulnerability | 18 Nov 201500:00 | – | cnvd |
 | CVE-2015-7816 | 16 Nov 201519:00 | – | cve |
 | CVE-2015-7816 | 16 Nov 201519:00 | – | cvelist |
 | CVE-2015-7816 | 16 Nov 201519:00 | – | debiancve |
 | EUVD-2015-7714 | 7 Oct 202500:30 | – | euvd |
 | FreeBSD : piwik -- multiple vulnerabilities (11351c82-9909-11e5-a9c8-14dae9d5a9d2) | 3 Dec 201500:00 | – | nessus |
 | CVE-2015-7816 | 16 Nov 201519:59 | – | nvd |
 | Piwik 2.14.3 PHP Object Injection | 4 Nov 201500:00 | – | packetstorm |
 | Server side request forgery (ssrf) | 16 Nov 201519:59 | – | prion |
10
-----------------------------------------------------------------------
Piwik <= 2.14.3 (DisplayTopKeywords) PHP Object Injection Vulnerability
-----------------------------------------------------------------------
[-] Software Link:
https://piwik.org/
[-] Affected Versions:
Version 2.14.3 and prior versions.
[-] Vulnerability Description:
The vulnerability is caused by the DisplayTopKeywords() function
defined in the /plugins/Referrers/Controller.php script:
358. function DisplayTopKeywords($url = "", $api)
359. {
360. // Do not spend more than 1 second fetching the data
361. @ini_set("default_socket_timeout", $timeout = 1);
362. // Get the Keywords data
363. $url = empty($url) ? "http://" . $_SERVER["HTTP_HOST"] ...
364. $api = $api . "&url=" . urlencode($url);
365. $keywords = @unserialize(file_get_contents($api));
The content retrieved by the "file_get_contents()" function located at the URL defined in
the $api variable is passed directly to the "unserialize()" function at line 365, and this
can be exploited to inject arbitrary objects into the application scope, allowing remote
attackers to carry out Server-Side Request Forgery (SSRF) attacks, to include and execute
arbitrary PHP code, and possibly other attacks. Successful exploitation of this vulnerability
requires the application running with certain configuration settings allowing to manipulate
the value of the $api variable through HTTP headers (like Host or X-Forwarded-Host).
[-] Solution:
Update to version 2.15.0 or later.
[-] Disclosure Timeline:
[27/08/2015] - Vendor notified
[09/09/2015] - Issue fixed on the GitHub repository: http://git.io/vly3D
[06/10/2015] - CVE number requested
[14/10/2015] - CVE number assigned
[22/10/2015] - Version 2.15.0 released: https://piwik.org/changelog/piwik-2-15-0
[04/11/2015] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-7816 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
# 0day.today [2018-04-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Nov 2015 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.00423