exploit the possibilities

WordPress Google Analytics Counter Tracker 3.1.5 PHP Object Injection

WordPress Google Analytics Counter Tracker 3.1.5 PHP Object Injection
Posted Dec 11, 2016
Authored by Securify B.V., Remco Vermeulen

WordPress Google Analytics Counter Tracker plugin version 3.1.5 suffers from an unauthenticated PHP object injection vulnerability.

tags | exploit, php
MD5 | 1fabefbf2455d13c37b52652e938d419

WordPress Google Analytics Counter Tracker 3.1.5 PHP Object Injection

Change Mirror Download
------------------------------------------------------------------------
Google Analytics Counter Tracker WordPress Plugin unauthenticed PHP
Object injection vulnerability
------------------------------------------------------------------------
Remco Vermeulen, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in Google Analytics
Counter Tracker, which can be used by an unautenthicated user to
instantiated arbitrary PHP Objects. Using this vulnerability it is
possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0035

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Google Analytics Counter
Tracker WordPress Plugin version 3.1.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Google Analytics Counter Tracker
version 3.5.1.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/google_analytics_counter_tracker_wordpress_plugin_unauthenticed_php_object_injection_vulnerability.html

This issue is possible due to an unsafe call to unserialize() in the proccessRequest() method. The input is taken directly from the wpadm_ga_request cookie as can be seen in the following code fragment:

class.wpadm-ga.php:

protected static function proccessRequest() {
$request_name = self::REQUEST_PARAM_NAME;
$params = unserialize(base64_decode($_POST[$request_name]));

$v = self::verifySignature($params['sign'], get_option('wpadm_ga_pub_key'), md5(serialize($params['data'])));

It has been confirmed that this issues can be used to execute arbitrary PHP code.

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    12 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close