Expected Behavior

Viewing Actions > Pages should bring up a list of pages visitors to my site have looked at. All of those Pages should link only to sites I have specified within my domain settings in Piwik.

Actual Behavior

Links to outside domains do show up, and appear malicious. (And these links appear under "Pages", not "Exit Pages", even though no such page exists on my domain.)

For example, a "page" called "browse.php" shows up in my Page analytics, but the link doesn't point to any of my domains - it points to either an IP address or a site like "zooworldgameguide.com".

Steps to Reproduce

My webserver logs show a line like this is probably what injected the link to a rogue website. (Parts specific to my website removed.)

It appears to be calling piwik.php but customizing the parameters for its own means.

(cut into multiple lines for readability - was one long line in web server logs)

[source IP here] - - [08/May/2011:00:31:17 -0700]
"GET /stats/piwik.php?action_name=[my site name stripped]
  &idsite=1&rec=1&rand=0.7976603401009384&h=9&m=31&s=19
  &url=http%3A%2F%2Fzooworldgameguide.com%2Fbrowse.php%3F[params stripped]
  &urlref=http%3A%2F%2Fzooworldgameguide.com[referer params stripped]
  &_idvc=1&_idn=1&_rcn=&_rck=&_refts=0&_viewts=1304839880&_ref=&pdf=1&qt=1
  &realp=0&wma=1&dir=0&fla=1&java=1&gears=0&ag=1&res=1680x1050&cookie=1 HTTP/1.1"
200 54 "[referer stripped - was my domain]"
"Mozilla/5.0 (Windows NT 6.0; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" "-"

Keywords: security