=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN152
_____________________________________________________________________

DATE                      : 06/05/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Piwik versions prior to 0.6.

======================================================================
http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/
______________________________________________________________________

Piwik 0.6 – Security Advisory to CVE-2010-1453

A non-persistent, cross-site scripting vulnerability (XSS) was found in
Piwik's Login form that reflected the form_url parameter without being
properly escaped or filtered. To exploit this vulnerability, the attacker
tricks a Piwik user into visiting a Login URL crafted by the attacker.

While this is a low risk threat, Piwik users are encouraged to update to
the latest version of Piwik. This issue exists in Piwik versions 0.1.6
through 0.5.5.

In Piwik 0.6, the form_url parameter has been removed.

References:

    * CVE-2010-1453 – Login Form XSS

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================