Cenzic 232 Patent
Paid Advertising
web application security lab

XSS and Possible Information Disclosure in Urchin

Fredrick Young send an interesting tidbit over to me today. Apparently all sites that run Urchin’s console are vulnerable to XSS. Urchin (recently bought by Google) is web tracking software designed for log analysis. It’s actually some of the best software out there in terms of speed of log analysis. I heard rumors that lots of the backend was originally coded in assembler. Cool stuff. Anyway, after a few minutes of looking I found an example of this out on the web. Click here for an example. This brings up a few interesting points.

Firstly, it’s not running on port 80 so the same origin policy is irrelevant. Secondly, lots of people use this software, and lots of the companies who use it need to be PCI compliant, which means that all of the companies who have exposed this interface are now failing PCI. Not so nice.

Also, when locating this particular example I noticed that I don’t think the password protection actually stops you from viewing the logs directly as you can see here. Bummer. Being able to read logs could lead to disclosure of hidden files, internal IP addresses, and all kinds of other things submitted on the URL. Looks like Urchin needs a few patches. I actually like this software a lot and if I had lots of money I’d probably buy it. It’s the same back end as Google Analytics although minus the fact that Google can spy on you and your users. But it’s got a few issues.

10 Responses to “XSS and Possible Information Disclosure in Urchin”

  1. Awesome AnDrEw Says:

    This is beautiful. Have you, or anyone else, tried sending user-agents or referers with scripts inside of them, and seeing if they result in a direct execution of the statements in that area?

  2. RSnake Says:

    I can’t comment on others but no, I haven’t tried messing with that website beyond what I posted here.

  3. MustLive Says:

    RSnake and Fredrick, cool find!

    Nice XSS hole, but especially authorization bypass hole.

    Google & Urchin need to fix them.

  4. HYPERFUKBOT Says:

    :(

    people need to learn to design software with security in mind.

    my half-assed thoughts on google-analytics:
    http://qqq3468349856.blogspot.com/2007/08/over-centralization-is-bad-for-security.html

  5. Maximinus Says:

    Nice one! Now you’ve provided a link for search engines to crawl that site’s stats…

    Anyway, very interesting find. I would have expected better security than that from something like Urchin. I’m not particularly familiar with the specifics of XSS, but that particular injection method seems like a particularly huge hole to me - blindly inserting whatever’s fed in via the URL params is a huge issue, especially when it’s more than just one particular obscure variable that gets injected - makes it so much easier to inject.

    ~Max

  6. Ronald Says:

    Very nice find :)

  7. RSnake Says:

    @Maximinus - how do you think I found it in the first place? ;) The search engines already know about that link (not the XSS obviously, but the stats).

  8. logadmin Says:

    Cool stuff. A small correction, urchin was acquired by google a few years ago, not recently.

  9. RSnake Says:

    Yah, I should have said that. I meant recently as compared to when they first started in the business - which has been well over ten years ago. I used them back when they were free software many years ago.

  10. Adrian Pastor Says:

    We reported these XSS issues on Urchin Web Analytics 5 to Google back on Jul 25, 2007. At this moment they are still working on a fix.

    We were planning to publish the details on GNUCITIZEN as soon as they would fix them.

    Reply from Google:


    Sorry about the delay. We are working to accurately fix the issue and deploy a patch. As you are aware, Urchin 5 is a user product and not software that we host. We want to ensure that the proper fix is made and tested without regressions. If you know of any additional vulnerabilities, please direct them to our attention. We will keep you updated with our progress.

    We appreciate your patience in this matter.

    Back in July, when I was searching some examples in Google also noticed that some sites have the Urchin stats wide open, but I thought this was a configuration problem as opposed to a bug.

    Are you guys sure there is a “authorization bypass hole”?