CVE-2009-4137

Name of the Vulnerable Software and Affected Versions Piwik versions prior to 0.5

Description The issue concerns the loadContentFromCookie function in Piwik's core/Cookie.php, which fails to validate strings from cookies before unserializing them. This allows remote attackers to execute arbitrary code or upload files via various vectors, including the destruct function in the Piwik Config class, php://filter URIs, and the destruct and shutdown functions in Zend Framework. Additionally, it affects the render function in the Piwik View class, Smarty templates, and the eval function in Smarty.

Recommendations For versions prior to 0.5, update to version 0.5 or later to resolve the issue. As a temporary workaround, consider disabling the loadContentFromCookie function until a patch is available. Restrict access to the Piwik Config class and the render function in the Piwik View class to minimize the risk of exploitation. Avoid using the destruct and shutdown functions in Zend Framework in the affected versions until the issue is resolved.