Below link is providing details about piwik vulnerability :
Is that a vulnerability or not ? If it is then how to control it ?
Am I the only one who thinks this is nonsense?!
If I got Superuser Access to Piwik it’s supposed to be able installing Plugins … of course I can also install malicious Plugins that way … This is expected behavior … ?!
The same would be "I can install malicious Software on a Linux Server I got ROOT ACCESS to …"
bye from sunny Austria
Andreas Schnederle-Wagner
The original article bragged about hacking the database that contains Piwik’s Superuser credentials, and then hacking the Piwik Superuser credentials to get the login password.
This isn’t so much a security hole in Piwik as it is a problem with weak database security on the server he hacked originally.
In Piwik 2.14, which is what I’m running, the database connection credentials are kept in an unencrypted text file that could be accessed by a hacker if its permissions aren’t set correctly. This is a weakness.
In any case this is not a critical vulnerability because it allowed Super Users code execution. But Super Users are trusted. But still we decided to improve this because we want to make Piwik the most secure possible.
We’re improving Piwik in 3.0.3 - now Super Users won’t be able to upload plugins by default. Done in: Introduces new config setting to enabled plugin upload by sgiehl · Pull Request #11445 · piwik/piwik · GitHub