Hi Team,

I have locally hosted PIWIK (2.14.3) on my machine and tested few modules of it. While going through an account I have observed that when user gets created, he/she gets on "token_auth" which is static for Life Time. (It doesn't expire after logout).

If in any way I get this token of account owner, I will have life time access of his/her account. I can fire any any request on owner's account whether its of creating user, deleting user, creating Email report or delete Email reports etc.

Note that, this vulnerability is present/tested on latest version of PIWIK and also on your "Cloud-hosted Piwik".

POC:

1. Login to account.
2. Create a user or create Email report and Capture that POST request.
3. Logout from account.
4. Modify and Replay request captured in step 2 and see success response.
5. Login into account and verify changes.

In fact, in step 4, you don't need a cookie to get success response. :D :D . You can fire that request without any valid/invalid cookie.

You only need user's "token_auth" and account name of account owner. And all you can own his account.

Recommendation:
Instead of using t

oken_auth, you should use Anti-CSRF token to verify each and every incoming request from users.
If you implement Anti-CSRF token in proper way, all such malicious requests will fail.

I have uploaded video POC and Sample requests on dropbox. In this Video-POC, I have created and deleted "Email Reports" after logout. In such a way, you can create users or delete user or can do any operations.

Download Link:
https://www.dropbox.com/s/f3jbb6k3z2ku374/Create%20and%20Delete%20Email%20Report%20-%20PIWIK.zip?dl=1

Request you to please check the same and let me know if anything is needed.

Thanks,
Tushar