WassUp WordPress Plugin Vulnerabilities.
WassUp is a new WordPress plugin to track your visitors in real time. It has a very readable and fancy admin console to keep tracks of your blog’s users visits. It has a “current visitors online” view and a more detailed “visitors details” view where you can know almost everything your users are doing on your blog, it’s very useful for SEO or statistics maniacs. Now it comes with a new “Spy” view in Ajax like the Digg Spy.
The WassUp plugin contains multiple XSSing and SQL injection vulnerabilities. While version 1.4.1 fixed some of the issues, there is a good number still unpatched. I won’t go into details because with code like the snippet below (from spy.php) it won’t take you long to find them.
//Retrieve command-line arguments... if (isset($_GET['to_date'])) $to_date = $_GET['to_date']; else $to_date = wassup_get_time(); if (isset($_GET['from_date'])) $from_date = $_GET['from_date']; else $from_date = ($to_date - 3); if (isset($_GET['rows'])) $rows = $_GET['rows']; else $rows = 999; spyview($from_date,$to_date,$rows);
spyview() calls $wpdb->get_results() with out performing any filtering:
$qryC = $wpdb->get_results("SELECT id, wassup_id, max(timestamp) as max_timestamp, ip, hostname, searchengine, urlrequested, agent, referrer, spider, username, comment_author FROM $table_name WHERE timestamp BETWEEN $from_date AND $to_date GROUP BY id ORDER BY max_timestamp DESC");
Regardless if the server uses magic_quotes or if the plugin is even activated, you can exploit the SQL injection on spy.php.
If that wasn’t bad enough, there is a persistent XSS when displaying tracked visitor data as they don’t filter the URL. That means just browsing the site and appending some script tags to the end of the URL, when the admin checks his visits it will execute.
On a positive note, version 1.4.1 does have SOME filtering being done mainly header data, and a few parameters but its still very bad and needs more work, but hey it’s pretty!
