what you don't know can hurt you

WordPress Google Analytics Counter Tracker 3.1.5 PHP Object Injection

WordPress Google Analytics Counter Tracker 3.1.5 PHP Object Injection
Posted Dec 11, 2016
Authored by Securify B.V., Remco Vermeulen

WordPress Google Analytics Counter Tracker plugin version 3.1.5 suffers from an unauthenticated PHP object injection vulnerability.

tags | exploit, php
MD5 | 1fabefbf2455d13c37b52652e938d419

WordPress Google Analytics Counter Tracker 3.1.5 PHP Object Injection

Change Mirror Download
------------------------------------------------------------------------
Google Analytics Counter Tracker WordPress Plugin unauthenticed PHP
Object injection vulnerability
------------------------------------------------------------------------
Remco Vermeulen, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection vulnerability was found in Google Analytics
Counter Tracker, which can be used by an unautenthicated user to
instantiated arbitrary PHP Objects. Using this vulnerability it is
possible to execute arbitrary PHP code.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0035

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the Google Analytics Counter
Tracker WordPress Plugin version 3.1.5.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue has been addressed in Google Analytics Counter Tracker
version 3.5.1.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/google_analytics_counter_tracker_wordpress_plugin_unauthenticed_php_object_injection_vulnerability.html

This issue is possible due to an unsafe call to unserialize() in the proccessRequest() method. The input is taken directly from the wpadm_ga_request cookie as can be seen in the following code fragment:

class.wpadm-ga.php:

protected static function proccessRequest() {
$request_name = self::REQUEST_PARAM_NAME;
$params = unserialize(base64_decode($_POST[$request_name]));

$v = self::verifySignature($params['sign'], get_option('wpadm_ga_pub_key'), md5(serialize($params['data'])));

It has been confirmed that this issues can be used to execute arbitrary PHP code.

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close