Matomo 0.4.4, response to Secunia Advisory SA37078

The Matomo (Piwik) project confirms that a potential vulnerability exists due to a file included in a third-party library. The vulnerability is exploitable whether or not the web site has the PHP configuration directive register_globals=On. The list of affected Matomo releases is limited to Matomo versions 0.2.35, 0.2.36, 0.2.37, 0.4, 0.4.1, 0.4.2, and 0.4.3. Matomo version 0.4.4 and later are not affected.

As of Matomo version 0.4.4 (released Oct.21, 2009), the subject file, “ofc_upload_image.php”, is no longer included. Moreover, during the software update process, Matomo will attempt to remove the file, if found. The Matomo project has also advised the developers of Open Flash Chart (and other open source projects known to use the same library), but we make no representation on their behalf.

Since the Secunia advisory links to exploit code, we urge Matomo users to update to the latest version of Matomo immediately.

Matomo users who are unable to update to the latest version are advised to simply remove the file located at “libs/open-flash-chart/php-ofc-library/ofc_upload_image.php”.

We also recommend that users secure their web server environment by setting register_globals=Off, but advise caution as this may impact the operation of other web applications.

Updated: Dec 14, 2009: assigned candidate CVE-2009-4140

Share this post