Two days we posted about a cross-site scripting (XSS) vulnerability in the Piwik’s Live Visitors! widget and we have now received a email response from Piwik. In their response they told us that the vulnerability had already been reported to them. Unfortunately, their response also indicated that they have been waiting to fix the vulnerability in their next major release instead of releasing a security release to fix the issue promptly after they became aware of it.
While the vulnerability would be difficult to exploit, as we discussed in our previous post, and would require a separately created malicious payload to be dangerous, it certainly seems to be something that should have been promptly fixed. Considering that there have been at least two reports to Piwik it is likely that others are aware of the issue. Piwik also seems to think it is a serious issue, as they left a comment in our previous post requesting that we make the post private (something we would have done if a fix was going to be released in a timely manner) and they were critical of our public release of the information.
WordPress, which we consider to follow responsible security practices, appears to promptly release fixes for security vulnerabilities instead of waiting for the next major release. Last year they even back-ported security enhancements developed for their next major release to the current version to improve security.
Until they decide to release a fix to the vulnerability, you can protect yourself by removing the Live Visitors! widget from your Dashboard or apply the fix mentioned in our previous post, which appears to fix the issue.
Assuming that Piwik was not aware of the vulnerability before releasing the most recent version, Piwik 1.0, they could have possibly known about the vulnerability as far back as August 28th.
What was also troubling was that Piwik apparently did not receive the messages we sent them. Both the email we received and the comment on our previous post claimed they had not received our emails, though in our original post we only mentioned that we contacted them and not that we had emailed them. In the email we received from them they stated “If your email contained an example URL similar to the one in your blog post, then it quite likely got filtered as spam or malicious content (i.e., phishing).” This is a problem as it means that Piwik could not be receiving other reports of security vulnerabilities and they could then be left unfixed. Since our original posting they have created a new security page on their website that mentions the problem with their spam filter. Hopefully, Piwik will take the further step either fix the current reporting system or create a new one so that they can insure they receive security vulnerabilities reports in the future.
We certainly don’t want to be overly critical of Piwik, but their response to this issue is very troubling to us because we use Piwik on our website and we recommend and promote the software to others.
The Live Visitors! widget for Piwik, an open source web analytics software similar to Google Analytics, contains a cross-site scripting (XSS) vulnerability which can allow malicious HTML to be added to Piwik’s Dashboard. The Dashboard is the page that users come to after logging in to Piwik and contains an overview of statistics. The Live Visitors! widget was added to default Dashboard with Piwik 1.0.
The vulnerability exist because the Live Visitors! widget does not properly sanitize special characters from the referer_keyword field of the piwik_log_visit table in the database. The referer_keyword field stores the keyword(s) that a user had search for when they visit the website through a search engine. This vulnerability can be used to add malicious HTML code to the Dashboard while a visitor with a special crafted referer is currently being displayed in the Live Visitors! widget. For example, the following referrer would create a script tag calling the file example.com/malicious.js:
The example.com/malicious.js could contain code that attempts to install malware on a computer or have some other malicious purpose.
We twice contacted Piwik’s security team about the issue. On December 2nd we provided them with basic details of the issue and on December 14th we contacted them with additional details of the issue and a possible fix for the issue. We have not received any response from them.
To insure that you are protected from the vulnerability being exploited you can remove the Live Visitors! widget from the Dashboard. A change that appears to fix the issue is to modify the following line in the file /plugins/Live/Visitor.php from
This change will cause special characters to be converted to HTML entities, so you would see the malicious code in text form instead of it being executed.
In the last several weeks Google has begun to show “This site may be compromised.” warnings, for websites they “believe may have been hacked or otherwise compromised”, in their search results. According to Google’s article about of the warning they have been added “To protect the safety of our users” and they recommend users “should be careful about providing personal information to the site” being flagged.
In the past when Google has detected websites they believe to be hacked and violate their Webmaster Guidelines, they have removed the websites from their index and placed a “Notice of Suspected Hacking” message in their Webmaster Tools to let the webmaster know. It’s unclear at this point if Google has replaced doing that with the new warning or if the warning is only for websites that have been hacked in such a way that does not warrant being removed for their search index. Unlike the malware warning (“This site may harm your computer.”) Google places in their search results, which sends users to an interstitial page when they click search result for an affected website, users are still able to directly access the website.
For websites which display the warning, after the hack has been removed reconsideration needs to be requested from Google to have the warning message removed. According to a post by Google employee John Mueller “These requests are processed fairly quickly (usually within a day, though it’s not possible to give an exact timeframe). “