Piwik is an open-source web analytics tool. Its updater downloads and
executes PHP code over an insecure (not-HTTPS) connection. The issue was
reported on the public GitHub tracker in October of 2014 and remains


Code signing is implemented, but signatures are not verified.

Workaround: Manually download the update over HTTPS (the build server
has a valid SSL certificate), and check the signatures yourself.


Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to