CVE-2009-4137

Matomo < 0.5 - Remote Code Execution via Cookie Unserialize

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4137. PoCs published by Alexeyan.

AI-analyzed exploit summary This exploit leverages PHP object injection in Piwik via a malicious serialized `Piwik_Config` object. It bypasses the PHP showstopper by using `php://filter` with base64 encoding to write a webshell to `/var/www/piwik/webshell.php`.

Description

The loadContentFromCookie function in core/Cookie.php in Piwik before 0.5 does not validate strings obtained from cookies before calling the unserialize function, which allows remote attackers to execute arbitrary code or upload arbitrary files via vectors related to the __destruct function in the Piwik_Config class; php://filter URIs; the __destruct functions in Zend Framework, as demonstrated by the Zend_Log destructor; the shutdown functions in Zend Framework, as demonstrated by the Zend_Log_Writer_Mail class; the render function in the Piwik_View class; Smarty templates; and the _eval function in Smarty.

Exploits (1)

nomisec WORKING POC 4 stars

by Alexeyan · poc

https://github.com/Alexeyan/CVE-2009-4137

View Code ZIP pw:eip

This exploit leverages PHP object injection in Piwik via a malicious serialized `Piwik_Config` object. It bypasses the PHP showstopper by using `php://filter` with base64 encoding to write a webshell to `/var/www/piwik/webshell.php`.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Piwik (version affected by CVE-2009-4137)

No auth needed

Prerequisites: PHP object injection vulnerability in Piwik · Ability to set a cookie with the serialized payload

MITRE ATT&CK