what you don't know can hurt you

Yoast Google Analytics Stored Cross Site Scripting

Yoast Google Analytics Stored Cross Site Scripting
Posted Mar 20, 2015
Authored by Jouko Pynnonen | Site klikki.fi

The Yoast WordPress Google Analytics plugin suffers from a stored cross site scripting vulnerability.

tags | exploit, xss
MD5 | 5685c927d3a6f1b4721f023d1a424a8d

Yoast Google Analytics Stored Cross Site Scripting

Change Mirror Download
OVERVIEW
==========

Google Analytics by Yoast is a WordPress plug-in for monitoring
website traffic. With approximately seven million downloads it’s one
of the most popular WordPress plug-ins.

A security vulnerability in the plug-in allows an unauthenticated
attacker to store arbitrary HTML, including JavaScript, in the
WordPress administrator’s Dashboard on the target system. The
JavaScript will be triggered when an administrator views the plug-in’s
settings panel. No further user interaction is required.

Typically this can be used for arbitrary server-side code execution
via the plugin or theme editors. Alternatively the attacker could
change the administrator’s password, create new administrator
accounts, or do whatever else the currently logged-in administrator
can do on the target site.



DETAILS
=======

The impact is a combination of two underlying problems. Firstly,
missing access control allows an unauthenticated user to modify some
of the settings associated with the plug-in. It’s possible overwrite
the existing OAuth2 credentials which the plug-in uses for retrieving
data from Google Analytics, and thereby connect the plug-in with the
attacker’s own Google Analytics account.

Secondly, the plug-in renders an HTML dropdown menu based on the data
downloaded from Google Analytics. This data is not sanitized or
HTML-escaped. If the said attacker enters HTML code such as <script>
tags in the properties in their Google Analytics account settings, it
will appear in the WordPress administrative Dashboard of the targeted
system and get executed whenever someone views the settings.



PROOF OF CONCEPT
==================

The following HTML snippet could be used to hijack the Google
Analytics account of a website running a vulnerable version of the
plug-in:

<a href="http://YOUR.BLOG/wp-admin/admin-post.php?reauth=1">reauth</a>
<br><br>
<form method=POST action="http://YOUR.BLOG/wp-admin/admin-post.php">
<input type=text size=100 name="google_auth_code">
<input type=submit>
</form>


First, the attacker would click the reauth link. The action doesn't
require any kind of authentication. It will reset some of the plugin
settings and redirect the attacker to a google.com OAuth dialog, where
they'd get an authentication code.

Next the attacker would copy-paste the code in the above form and
submit. This would update the code in the plugin settings - again
without requiring authentication. The plugin would now retrieve its
data from the attacker's Google Analytics account.

The actual payload script would be entered at the attacker's own
Google Analytics account settings at

https://www.google.com/analytics/web/?hl=en#management/Settings/

An example of a property name:

test"><script>alert('stored XSS')</script>

This would fire an alert box whenever an administrator views the
Analytics settings page in the Dashboard of the target WordPress site.

A real-world attack would probably use a src attribute to load a more
sophisticated script from an external site. It could make chained ajax
calls to load and submit administrative forms, including those of the
plugin editor to write server-side PHP code, and finally execute it.



SOLUTION
=========

Yoast was notified on March 18, 2015. A new version of the plug-in
(5.3.3) was released the next day.



CREDITS
========

The vulnerability was found by Jouko Pynnönen of Klikki Oy, Finland.

An up-to-date version of this document is available at
http://klikki.fi/adv/yoast_analytics.html



--
Jouko Pynnönen <jouko@iki.fi>
Klikki Oy - http://klikki.fi - @klikkioy

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close