The Piwik development team is releasing Piwik 0.5 to address issues with performance, PHP 5.3.1 compatibility, and a potential security vulnerability in earlier versions of Piwik. We strongly encourage all Piwik users to update. In addition, users will also benefit from new features and bug fixes in this release.
The automated update was inadvertently broken in 0.4.4 and 0.4.5. If you are running either of these versions, please update manually to 0.5 (see How to update Piwik manually?), preferably by installing Piwik in a fresh folder. Our apologies for the inconvenience.
In disclosing this security risk, we urge all Piwik users to update to this release as soon as possible. If you are unable to update at this time, you should make the following changes immediately to secure your Piwik installation:
- In “
core/Cookie.php“, apply this patch
- Remove the third-party file “
libs/open-flash-chart/php-ofc-library/ofc_upload_image.php” (if it exists). (Reference: SA37078 advisory)
A special thanks to security researcher, Stefan Esser of SektionEins, for his assistance.
$ php path/to/piwik/index.php.
The “alpha” version of the “Live!” visitor plugin has also been updated, thanks to jr-ewing. To activate this plugin, go to “Settings | Plugins” and click on the “Activate” link. This will allow you to add a live visitor widget to the dashboard, and access the “Visitor Log” report from the menu. Please test-drive this plugin and provide feedback on the forum for further improvement. This is a beta release only.
- #530 – Report actions by html page title as well as reporting by URL (or custom page name)
- #708 – Hash the “name” column (using CRC32 algorithm) to speed up the SELECT idaction in piwik.php
- #997 – widget+data loaded in a single fetch cutting round-trip delays (latency)
- #693 – Visit Generator should ask for user confirmation before generating data
- #905 – tag cloud line breaks
- #947 – truncated translation string in Flash widget when “no data”; this is now styled consistently with “no data” for tables and tag clouds
- #967 – non-superuser admin could reduce own access to view/no access
- #981 – add ORDER BY NULL clause where order doesn’t matter (faster)
- #994 – set content type to application/JSON for OFC data feed
- #1004 – add/delete user after changing site selection causes FF to prompt re: resending information
- #1010 – auto-update failing
- #1012 – “Database usage” (DBStatus menu) not translated
- #1013 – html entities not decoded in User Country/Continent data tables
- #1020 – “Save image locally” (right-click pop-up menu) only worked for last chart; also close stream on ‘Export as image’ pop up window
- #1033 – archive.sh: readlink -f is not a valid option on FreeBSD
- #1034 – undefined variable after resetting password
- #1037 – URL match on ampersand fails on sanitized URL
- #1039 – Class Piwik_Apiable not found when updating from pre-0.2.10
- #1053 – suppress “add site” link for non-superuser
- checking for writable session.savepath
- #510 – update to jQuery 1.3.2 and jQuery UI 1.7.2
- #946 – some CSS cleanup
- #986 – handle Firefox variant user agent strings (eg development, alpha, or nightly builds)
- #1029 – replace thickbox 3.1 with jquery ui dialog
- #1049 – peephole optimizations (assignment to temporary variable before returning it)
- sync up with Zend Framework 1.9.6
Piwik core developers Anthon, Maciej, and Matt contributed the bulk of updates for this release, with patches from jr-ewing, kurakin, manne, ogs22, and pebosi. And of course, thank you to the Piwik community and sponsors for your continued support and feedback.