Discovered security vulnerabilities

Nitin

You have posted in this on other plugins and this is not the case for this plugin.

If you find any vulnerability please post here, so we can fix it immediately.

We work on this plugin nearly every day.

Hi Noah,

I found that the cache could be cleared and a reset could be performed by CSRF on this plugin.

## Proof of Concept:

https://localhost/wp-admin/options-general.php?page=google-analyticator.php&pageaction=ga_clear_cache

https://localhost/wp-admin/options-general.php?page=ga_reset

Thanks & regards,
Nitin Venkatesh

Thank you VERY much for pointing this out Nitin!

We are checking this out ??

nk

Hi Nitin,

Can you explain why you think this is a security vulnerability? Seems to me these links allow you to clear cache, but only if logged in. Thanks,

-Garrett

Hi Garrett,

This is a CSRF vulnerability. Consider this scenario where the authenticated user visits another site (belonging to an attacker), where a request could be submitted to the above URL using the authenticate user’s session and the action could be performed – even if the user never wanted something like that to happen,(and) without their knowledge too.

Nitin

@nitstorm: Thanks for informing the plugin community of this potential vulnerability. (Thanks also for how you initially attempted to inform the plugin authors more discretely.)

@plugin authors: Any word on when it will be updated? Or, if you’ve determined that it is not an actual vulnerability, can you share the reasoning here please?

Hi Noah, Garrett,

Could you please give us an update on the issue? You have also not replied or given any guidance regarding the post on Social Share Boost.

I once again urge you to give an update on both the issues as soon as possible.

Nitin

Hi Nitin,

While I’m unsure whether or not this should be considered an actual vulnerability we will be updating this plugin with a fix shortly. Thanks

-Garrett

This should now be fixed.

-Garrett

Hi Garrett,

Thank you for publishing the fix. Since the issue was made public a while back, I’d like to publish a disclosure report on the Full Disclosure mailing list and then request for a CVE in the oss-sec mailing list. I hope this is okay with you.

Nitin

While I’m unsure whether or not this should be considered an actual vulnerability

A CSRF vulnerability should definitely be considered an actual vulnerability. In fact, it is rated 8. on the OWASP Top 10.

It might not be the most dangerous vulnerability to have, but it is definitely a vulnerability. It is good that it has been fixed.

So, Garrett – you’re saying the plugin has been updated to address this security issue, but there’s absolutely nothing in the changelog to indicate this.

Can you confirm that the 6.4.9.3 is secure from this issue?

And for heaven’s sake, please include these things in changelog in future? This is one of the main reasons for having a changelog in the first place, for those of use who maintain multiple client sites.

For example – I saw the 6.4.9.3 update and checked the changelog. Since it only mentioned a re-enabling of a functionality none of my clients use, there was no urgency to update, and I just slated it for the next regular update I do every 2 weeks. If it had been flagged to include a security issue, I would have taken the time and trouble to update immediately.

Paul

Hi Paul,

Sure, I’ve included this fix in the changelog and incremented the version to reflect this change.

-Garrett

Thanks grimmdude & Noah for updating the change log as needed. As Paul said it is essential we know when there is a security issue involved.