Piwik is an open-source web analytics tool. Its updater downloads and executes PHP code over an insecure (not-HTTPS) connection. The issue was reported on the public GitHub tracker in October of 2014 and remains unfixed.
https://github.com/piwik/piwik/issues/6441 Code signing is implemented, but signatures are not verified. Workaround: Manually download the update over HTTPS (the build server has a valid SSL certificate), and check the signatures yourself. -Taylor _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/