Advisory:              	Piwik 1.6 Full Path Disclosure
Advisory ID:           	SSCHADV2011-032
Author:                	Stefan Schurtz
Affected Software:  	Successfully tested on Piwik 1.6
Vendor URL:          	http://piwik.org/
Vendor Status:       	informed but no fix available
CVE-ID:                	-

==========================
Vulnerability Description:
==========================

Piwik 1.6 is prone to Full Path Disclosure vulnerability

==================
Technical Details:
==================

http://<target>/piwik/?module=VisitsSummary&action=getEvolutionGraph&idSite=&period=day
http://<target>/piwik/index.php?module=LanguagesManager&action=saveLanguage

=========
Solution:
=========

NO FIX!

====================
Disclosure Timeline:
====================

19-Oct-2011 - informed developers
19-Oct-2011 - response from vendor -> no fix
19-Oct-2011 - release date of this security advisory

========
Credits:
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References:
===========

http://piwik.org/
http://www.rul3z.de/advisories/SSCHADV2011-032.txt