WordPress plugin Google Analytics by Yoast stored XSS Vulnerability

WordPress plugin Google Analytics by Yoast stored XSS Vulnerability

The storage XSS vulnerability is exposed in the famous WordPress plug-in Google Analytics by Yoast, which allows unauthorized attackers to store any HTML code, including JavaScript, In the WordPress Management Panel. The administrator can check that the setting Panel of the plug-in is JavaScript and will be triggered without any interaction.

Vulnerability description

Google Analytics by Yoast is a WordPress plug-in used to monitor website traffic. This plug-in has around downloads and is one of the most popular WP plug-ins. Although the plug-in code has been routinely audited since 2014, this vulnerability still exists. This vulnerability is very dangerous and is clearly the most serious vulnerability in the Yoast WP plug-in.

Attackers can exploit this vulnerability to execute code on the server. In the default WP configuration, malicious users can use this vulnerability to write PHP files on the server using the plug-in/topic Editor (see the video demo ). Alternatively, attackers can change the administrator password, create an administrator account, or perform other operations that can be performed by logged-on users on any server website.

This vulnerability was discovered by Klikki Oy in late January this year, but the specific impact was unknown until the complete results of the investigation were released in March 1. The plug-in has been updated to fix this issue.

Vulnerability details

The impact of a vulnerability is a combination of two problems. First, unauthorized users who lack access control can modify some plug-in settings. Attackers can overwrite the existing oau2's authentication information. The authentication information is used in the plug-in to obtain Google analysis data. Therefore, attackers can use their Google analysis account in the plug-in.

Second,

The plug-in has an HTML drop-down menu that analyzes the downloaded data from Google. Data is not processed or HTML escaping is performed. If attackers enter HTML code such as the <script> tag in the Google analysis account settings, the code will appear in the WordPress Management Panel and will be triggered when any browser browsing these settings.
 

 

 

VcmlnaW5hbD0 = "http://www.bkjia.com/uploads/allimg/150326/041A4O55-0.jpg! Small "src =" http://www.bkjia.com/uploads/allimg/150326/041A4O55-0.jpg "title =" shutterstock_196083881-680x400.jpg "/>

POC

The following HTML snippet can be used to hijack Google analysis accounts on websites using the vulnerability plug-in:
 

<a href="http://www.bkjia.com/wp-admin/admin-post.php?reauth=1">reauth</a><br><br><form method=POST action="http://www.bkjia.com/wp-admin/admin-post.php"><input type=text size=100 name="google_auth_code"><input type=submit></form>

 

First, attackers will click the "reauthorize" link. This action does not require any verification. It resets some plug-in settings and redirects attackers to a google.com OAuth dialog box, where attackers can obtain a verification code. Then the attacker will copy the code and paste it to the above table and click Submit. In this way, the attacker updates the code in the plug-in settings without authorization. Then the plug-in will obtain data from the attacker's Google analysis account.

Attackers will analyze account settings in Google (https://www.google.com/analytics/web? Enter the real payload script in hl = en # management/Settings. For example:
 

    test"><script>alert('stored XSS')</script>

This script will pop up when the Administrator browses the settings page on the panel.
Real attacks may use the src attribute to load more complex scripts from external websites. You can use ajax to load the submission management form. You can use the plug-in editor to write and execute PHP code on the server.

Solution

Yoast received a reminder on July 15, March 18, 2015. The next day, Yoast released the update (5.3.3 ).