On Tuesday Piwik released Piwik 1.1 which fixed the cross-site scripting (XSS) vulnerability in the Live Visitors! widget (renamed Visitors in Real Time in the new version)which we previously wrote about. The fix was released just over a month after we contacted them about the issue and two weeks after they apparently became aware of us contacting them. Based on contact with them it seems possible that could have become aware of the issue as long ago as August 28th, four months before they fixed it. A number of cross-site scripting vulnerabilities were also fixed in the release but no details have been provided on those. There was also a professional security audit done for Piwk 1.1, unfortunately that audit was only focused on the source code and not at Piwik’s security process which we believe have some serious problems. These include not having a reliable way for security issues to be reported and not promptly releasing fixes for security vulnerabilities.
Piwik’s choice to wait for the next major release to fix the vulnerability instead of promptly releasing a security release also exposed another problem with this type of approach. Users were told the release was critical and they should “update now”, but when users did it caused some Piwik installations to stop working. Piwik then released an update the next day which solved the most serious problems, but it appears a number of serious issues still exist. If the security updates had been separately released then they could have applied promptly and users could have taken more time, possibly testing the new version on development website, before upgrading the next major release which would have likely lead to less users experiencing these bugs.