exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Yoast Google Analytics Cross Site Scripting

WordPress Yoast Google Analytics Cross Site Scripting
Posted Apr 21, 2015
Authored by Jouko Pynnonen | Site klikki.fi

WordPress Yoast Google Analytics plugin versions prior to 5.4 suffer from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 6b96d28de3f357652545a0bed162424636126d5a3cec6ab77e597aa31454bbc8

WordPress Yoast Google Analytics Cross Site Scripting

Change Mirror Download
OVERVIEW
==========

Google Analytics by Yoast is one of the most popular WordPress
plug-ins with over 7 million downloads and "1+ million" active
installs. Last month Yoast patched a stored XSS we reported in the
plug-in. Shortly after this we identified another bug of a similar
severity. The second stored XSS has now been corrected.

An unauthenticated attacker can store JavaScript in the WordPress
administrator’s Dashboard on the target system. The script will be
triggered when an administrator views the Analytics panel next time.
No other user interaction is required.

Under default configuration the injected script can execute arbitrary
code on the web server via the plugin or theme editors.

Alternatively the attacker could change the administrator’s password,
create new administrator accounts, and do whatever else the currently
logged-in administrator can do on the target system.



DETAILS
========

Exploiting the bug is easier to carry out and automate than in the
first case. The most simple exploit is to view a page on the target
system so many times that it ends up in the "Popular pages" section of
the Analytics panel. Any HTML tags appended in the page URL will be
embedded without escaping.

If the site is low-traffic or hasn't got much content, a single page
load may suffice. On heavy-traffic sites the attacker would have to
use a tool, script, or other method to generate a lot of page views.

It's possible to generate fake page views for Google Analytics. This
happens by communicating directly to the Analytics server; no genuine
page views or a real web browser would be required to plant the
malicious script.

While the previous vulnerability could be used to inject JavaScript in
the plugin's Settings panel (requiring two clicks from the WordPress
main Dashboard view), this one is triggered in the main Analytics
panel. Selecting the Analytics view in the Dashboard would suffice to
execute the attacker's code (one click from the WordPress main
Dashboard).

The plug-in doesn't aggregate Google Analytics data more frequently
than once per day so the attacker may have to wait some time for the
injected code to get triggered.




PROOF OF CONCEPT
==================

While not logged on, navigate to an URL like:

http://YOUR.BLOG/?html=<script>alert('hello')</script>

Log on and view the Analytics panel in the Dashboard. If you already
had visited the Dashboard recently, you may have to wait for the next
data aggregation.



SOLUTION
=========

The vendor was notified on March 22, 2015. A new version of the
plug-in (5.4) was released on April 20. The update can be installed
via the WordPress Dashboard.



CREDITS
========

The vulnerability was discovered by Jouko Pynnönen of Klikki Oy while
investigating websites in the scope of Facebook’s bug bounty program.

A Facebook acquisition listed on their bug bounty info page was
affected by both of the stored XSS vulnerabilities in this plugin.
While Facebook agreed on the technical severity of the bugs (stored
XSS which "potentially allowed an attacker to achieve RCE"), no bounty
was issued.

In the three published remote code execution bug cases I could find
(which include indirect or "potential" RCE's) Facebook issued rewards
ranging from $15,000 to $33,500.

The rationale for denying bounties this time was that the
vulnerabilities affected WordPress instead of Facebook-specific
software and no "user data" or Facebook-owned infrastructure was
involved.

Facebook has previously qualified WordPress bugs (e.g. WPML) and bugs
that don't involve "user data" (e.g. aconnectedlife.info) nor
Facebook-owned infrastructure (Oculus, aconnectedlife.info, Onavo DNS
misconfiguration, etc).

It was therefore surprising that after taking appropriate steps to
secure their systems, Facebook decided that these bug reports weren't
worth any reward at all.

An up-to-date version (including a YouTube demo) of this document can
be found at http://klikki.fi/adv/yoast_analytics2.html .



--
Jouko Pynnönen <jouko@iki.fi>
Klikki Oy - http://klikki.fi - @klikkioy
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close