[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4c1cb201-6e7e-22ca-4381-f4b61e30b64f@defensecode.com>
Date: Thu, 11 May 2017 12:34:48 +0200
From: DefenseCode <defensecode@...ensecode.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org,
websecurity@...appsec.org
Subject: [FD] DefenseCode ThunderScan SAST Advisory: WordPress Tracking Code
Manager Plugin Multiple Security Vulnerabilities
DefenseCode ThunderScan SAST Advisory
WordPress Tracking Code Manager Plugin
Multiple Security Vulnerabilities
Advisory ID: DC-2017-01-020
Advisory Title: WordPress Tracking Code Manager Plugin Multiple
Vulnerabilities
Advisory URL:
http://www.defensecode.com/advisories/DC-2017-01-020_WordPress_Tracking_Code_Manager_Plugin_Advisory.pdf
Software: WordPress Tracking Code Manager
Software Language: PHP
Version: 1.11.1 and below
Vendor Status: Vendor contacted
Release Date: 2017-05-10
Risk: Medium
1. General Overview
===================
During the security audit of Tracking Code Manager plugin for
WordPress CMS, multiple vulnerabilities were discovered using
DefenseCode ThunderScan application source code security analysis
platform.
More information about ThunderScan is available at URL:
http://www.defensecode.com
2. Software Overview
====================
According to the developers, Tracking Code Manager is a plugin to
manage all your tracking code and conversion pixels, simply.
Compatible with Facebook Ads, Google Adwords, WooCommerce, Easy
Digital Downloads, WP eCommerce.
It has more than 40,000 downloads on wordpress.org.
Homepage: https://wordpress.org/plugins/tracking-code-manager/
3. Brief Vulnerability Description
==================================
During the security analysis, ThunderScan discovered Cross-Site
Scripting and remote Denial of Service vulnerabilities in Tracking
Code Manager plugin. Denial of Service requires only one visit to a
specific URL and whole WordPress becomes completely unresponsive until
restart. DoS is based upon the ability of the user to select and call
a function of it's choice (while safisfying specific conditions). By
making a recursive call to the function that handles the request
(tcmp_do_action()) DoS can easily be accomplished.
Both vulnerabilities can be found in the settings section of the
plugin, and can be remotely triggered due to missing nonce token and
validation. Since the DoS vulnerability relies on GET requests, is
missing the nonce token, the vulnerability is also directly exposed to
attack vectors such as Cross Site request forgery (CSRF).
DoS vulnerability was confirmed on windows OS.
3.1 Cross-Site Scripting
URL Parameter: tcmp_action
Vulnerable URL:
http://vulnerablesite.com/wp-admin/options-general.php?page=tracking-code-manager&tab=editor&tcmp_action=<script>alert(1)</script>
3.2. Denial of Service
Function: tcmp_do_action()
Vulnerable URL:
http://vulnerablesite.com/wp-admin/options-general.php?page=tracking-code-manager&tab=editor&tcmp_action=do_action
4. Solution
===========
Vendor should resolve the security issues in next release. All users
are strongly advised to update WordPress Tracking Code Manager plugin
to the latest available version as soon as the vendor releases an
update.
5. Credits
==========
Discovered with DefenseCode ThunderScan Source Code Security Analyzer
by Neven Biruski
6. Disclosure Timeline
======================
04/04/2017 Vendor contacted
07/04/2017 Vendor responded: "We will fix it in the next update"
10/05/2017 Advisory released to the public
7. About DefenseCode
====================
DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security
vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.
DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.
Subscribe for free software trial on our website
http://www.defensecode.com/
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com/
Twitter: https://twitter.com/DefenseCode/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists