websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

DefenseCode ThunderScan SAST Advisory: WordPress Tracking Code Manager Plugin Multiple Security Vulnerabilities

D
DefenseCode
Thu, May 11, 2017 10:34 AM
       DefenseCode ThunderScan SAST Advisory
      WordPress Tracking Code Manager Plugin
        Multiple Security Vulnerabilities

Advisory ID: DC-2017-01-020
Advisory Title: WordPress Tracking Code Manager Plugin Multiple
Vulnerabilities
Advisory URL:
http://www.defensecode.com/advisories/DC-2017-01-020_WordPress_Tracking_Code_Manager_Plugin_Advisory.pdf
Software: WordPress Tracking Code Manager
Software Language: PHP
Version: 1.11.1 and below
Vendor Status: Vendor contacted
Release Date: 2017-05-10
Risk: Medium

  1. General Overview
    ===================
    During the security audit of Tracking Code Manager plugin for
    WordPress CMS, multiple vulnerabilities were discovered using
    DefenseCode ThunderScan application source code security analysis
    platform.

More information about ThunderScan is available at URL:
http://www.defensecode.com

  1. Software Overview
    ====================
    According to the developers, Tracking Code Manager is a plugin to
    manage all your tracking code and conversion pixels, simply.
    Compatible with Facebook Ads, Google Adwords, WooCommerce, Easy
    Digital Downloads, WP eCommerce.

It has more than 40,000 downloads on wordpress.org.

Homepage: https://wordpress.org/plugins/tracking-code-manager/

  1. Brief Vulnerability Description

---=
During the security analysis, ThunderScan discovered Cross-Site
Scripting and remote Denial of Service vulnerabilities in Tracking
Code Manager plugin. Denial of Service requires only one visit to a
specific URL and whole WordPress becomes completely unresponsive until
restart. DoS is based upon the ability of the user to select and call
a function of it's choice (while safisfying specific conditions). By
making a recursive call to the function that handles the request
(tcmp_do_action()) DoS can easily be accomplished.

Both vulnerabilities can be found in the settings section of the
plugin, and can be remotely triggered due to missing nonce token and
validation. Since the DoS vulnerability relies on GET requests, is
missing the nonce token, the vulnerability is also directly exposed to
attack vectors such as Cross Site request forgery (CSRF).

DoS vulnerability was confirmed on windows OS.

3.1 Cross-Site Scripting
URL Parameter:    tcmp_action
Vulnerable URL:
http://vulnerablesite.com/wp-admin/options-general.php?page=tracking-code-manager&tab=editor&tcmp_action=<script>alert(1)</script>

3.2. Denial of Service
Function:            tcmp_do_action()
Vulnerable URL:
http://vulnerablesite.com/wp-admin/options-general.php?page=tracking-code-manager&tab=editor&tcmp_action=do_action

  1. Solution
    ===========
    Vendor should resolve the security issues in next release. All users
    are strongly advised to update WordPress Tracking Code Manager plugin
    to the latest available version as soon as the vendor releases an
    update.

  2. Credits
    ==========
    Discovered with DefenseCode ThunderScan Source Code Security Analyzer
    by Neven Biruski

  3. Disclosure Timeline
    ======================
    04/04/2017    Vendor contacted
    07/04/2017    Vendor responded: "We will fix it in the next update"
    10/05/2017    Advisory released to the public

  4. About DefenseCode
    ====================
    DefenseCode L.L.C. delivers products and services designed to analyze
    and test web, desktop and mobile applications for security
    vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website
http://www.defensecode.com/

E-mail: defensecode[at]defensecode.com

Website: http://www.defensecode.com/
Twitter: https://twitter.com/DefenseCode/

DefenseCode ThunderScan SAST Advisory WordPress Tracking Code Manager Plugin Multiple Security Vulnerabilities Advisory ID: DC-2017-01-020 Advisory Title: WordPress Tracking Code Manager Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories/DC-2017-01-020_WordPress_Tracking_Code_Manager_Plugin_Advisory.pdf Software: WordPress Tracking Code Manager Software Language: PHP Version: 1.11.1 and below Vendor Status: Vendor contacted Release Date: 2017-05-10 Risk: Medium 1. General Overview =================== During the security audit of Tracking Code Manager plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview ==================== According to the developers, Tracking Code Manager is a plugin to manage all your tracking code and conversion pixels, simply. Compatible with Facebook Ads, Google Adwords, WooCommerce, Easy Digital Downloads, WP eCommerce. It has more than 40,000 downloads on wordpress.org. Homepage: https://wordpress.org/plugins/tracking-code-manager/ 3. Brief Vulnerability Description ================================== During the security analysis, ThunderScan discovered Cross-Site Scripting and remote Denial of Service vulnerabilities in Tracking Code Manager plugin. Denial of Service requires only one visit to a specific URL and whole WordPress becomes completely unresponsive until restart. DoS is based upon the ability of the user to select and call a function of it's choice (while safisfying specific conditions). By making a recursive call to the function that handles the request (tcmp_do_action()) DoS can easily be accomplished. Both vulnerabilities can be found in the settings section of the plugin, and can be remotely triggered due to missing nonce token and validation. Since the DoS vulnerability relies on GET requests, is missing the nonce token, the vulnerability is also directly exposed to attack vectors such as Cross Site request forgery (CSRF). DoS vulnerability was confirmed on windows OS. 3.1 Cross-Site Scripting URL Parameter: tcmp_action Vulnerable URL: http://vulnerablesite.com/wp-admin/options-general.php?page=tracking-code-manager&tab=editor&tcmp_action=<script>alert(1)</script> 3.2. Denial of Service Function: tcmp_do_action() Vulnerable URL: http://vulnerablesite.com/wp-admin/options-general.php?page=tracking-code-manager&tab=editor&tcmp_action=do_action 4. Solution =========== Vendor should resolve the security issues in next release. All users are strongly advised to update WordPress Tracking Code Manager plugin to the latest available version as soon as the vendor releases an update. 5. Credits ========== Discovered with DefenseCode ThunderScan Source Code Security Analyzer by Neven Biruski 6. Disclosure Timeline ====================== 04/04/2017 Vendor contacted 07/04/2017 Vendor responded: "We will fix it in the next update" 10/05/2017 Advisory released to the public 7. About DefenseCode ==================== DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com/ Twitter: https://twitter.com/DefenseCode/