Piwik Multiple Vulnerabilities Fixed by 2.15.0


Description   (#Two vulnerabilities have been identified in Piwik.##- CVE-2015-7815: arbitrary file inclusion in viewDataTable. A remote attacker can exploit it to include PHP files and potentially execute arbitrary commands. Only PHP versions 5.4.24 or 5.5.8 and earlier are vulnerable.##- CVE-2015-7816: PHP object injection in DisplayTopKeywords. A remote attacker can exploit it to execute a server-side request forgery attack. Only configurations allowing to edit the $api variable via HTTP headers are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
FreeBSD (FreeBSD) - AllVulnerable Software:
Piwik (Piwik) - 2.0.0, 2.1.0, 2.10.0, 2.11.0, 2.11.1, ..., 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0
     
Solution   Fixed piwik packages for FreeBSD are available.
     
CVE   CVE-2015-7816
CVE-2015-7815
     
References   - KIS-2015-09 : Piwik <= 2.14.3 (viewDataTable) Autoloaded File Inclusion Vulnerability
http://karmainsecurity.com/KIS-2015-09
- KIS-2015-10 : Piwik <= 2.14.3 (DisplayTopKeywords) PHP Object Injection Vulnerability
http://karmainsecurity.com/KIS-2015-10
- VuXML : piwik -- multiple vulnerabilities
http://www.vuxml.org/freebsd/11351c82-9909-11e5-a9c8-14dae9d5a9d2.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
Escaped NULL char in URL
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-11-04 

 Target Type 
Server 

 Possible exploit 
Remote